Microsoft closes zero-day hole in Internet Explorer; Mozilla and Opera also release patches

Microsoft released an emergency patch earlier this week that fixes a critical hole that affected all versions of Internet Explorer between 5.01 and 7.  This update represents the second time in 18 months that an out of band emergency patch has been issued for Internet Explorer, according to Paul Henry, forensic analyst at Lumension Security.

Henry further noted that, “With less than two weeks away from the holiday and given the wide use of IE within business enterprises and the severity of this vulnerability, we recommend IT professionals patch this as soon as business conditions permit.”

Heise Security UK elaborates further on the problem:

The hole in Internet Explorer is caused by a data binding flaw which potentially causes an object to be discarded without updating the respective array length. This allows attackers to access the memory area occupied by the deleted object, which can be exploited to inject and execute malicious code. Unlike previously assumed, the problem can be exploited with techniques other than a flawed SPAN tag in XML document.

You might want to read up more on this issue from Microsoft Security Bulletin MS08-078.

On the same day, Mozilla have also updated its popular Firefox browser to version 3.0.5 mid-week.  According to Secunia, a number of critical vulnerabilities – some of which could result in remove compromise, were resolved by this latest patch.

Not to be outdone, Opera Software released Opera 9.6.3 mid-week, which fixes a number of flaws ranging from “Extremely Severe” to “Highly Severe.”  It appears that all platforms are affected. You can read the Changelog for Opera 9.6.3 on Windows, or just update as soon as possible.

Spam to hit record levels in 2009

IT security firm Barracuda Networks is predicting that spam – surprise! – will hit record volumes of a staggering 95 percent of all e-mails in 2009.  This will happen despite crackdowns on major spam organizations and outfits over the last few months.

Vice president of product management at Barracuda, Stephen Pao, pointed out the phenomenon in which countries not previously known for sending spam, such as Brazil and Turkey, have became second and fifth on the top 10 list of spam-originating countries.

He explained:

“We believe that this is due in part to residential broadband penetration and a proliferation of datacentres in various countries around the world. As broadband availability increases, the reach and control of botnet activity also grows. Unsecured datacentres are ripe for hacking and hosting malicious content. “

I just came across this case in which a Hong Kong businessman was indicted for artificially manipulating share prices by sending out tens of millions of spam.  Though he pleaded guilty, what amazed me was that the alleged ringleader made about $3 million in the summer of 2005 alone via such spam messages.

With this kind of money involved, it is not hard at all to see why spam will increase!

Cisco 2008 Annual Security Report released

The 2008 edition of the Annual Cisco Security Report by Cisco has been released.  It’s a big read, so you can access it directly here (Registration required).

A summary of the more interesting findings:

  • Spam accounted for nearly 200 billion messages each day, or 90 percent of email sent worldwide.
  • The overall number of disclosed vulnerabilities grew by 11.5 percent over 2007
  • Vulnerabilities in virtualization products tripled to 103 in 2008 from 35 in 2007 – probably inevitable as more organizations embraced virtualization technologies.
  • Threats originating from legitimate domains saw a growth of 90 percent, or double what Cisco saw in 2007
  • Spam due to email reputation hijacking from the top three webmail providers accounted for just under 1 percent of all spam worldwide, but constituted 7.6 percent of all these providers’ mail

Any comments or feedback on the security news roundup this week?