Must-Have Security Fixes for IE7, Microsoft Servers (PC World)

Today's montly patch batch from Microsoft fixes a critical flaw in Internet Explorer 7 that could allow a malicious Web site to install malware on a vulnerable PC, along with a patch for the Visio diagramming software. And businesses that run a Microsoft Exchange or SQL server will want to apply essential fixes right away.

MS09-002 IE7 flaw "can be crafted easily," so be sure you get this one via Windows Update. The Internet Storm Center posts that there aren't yet any known attacks, but it affects both XP and Vista. But only IE7, interestingly, and not earlier versions of the browser.

You'll also find a fix for the Visio software which can allow an attacker to run any command if you open a hacked Visio file. The program is popular among network and server administrators who typically have far-reaching permissions on their networks, so I wouldn't be at all surprised to see a targeted attack come along that goes after this flaw. Get more info and the patch from the MS09-005 bulletin. The other two fixes are for servers - Exchange and SQL server. There has been exploit code out there for the SQL server flaw since December, according to the ISC, so if you have a publicly accessible SQL server at your company (via a Web site) schedule an emergency fix to prevent a SQL injection or other attack. Get details at the MS09-004 page.

Do the same for your company Exchange server, which could be taken over by specially crafted TNEF message sent to it by an attacker. No known attacks against this one just yet, according to the ISC, but don't wait for one to show up. This one's MS09-003.

Kaspersky Says Web Hack 'should Not Have Happened' (PC World)

software news

It's the worst thing that can happen to a computer security vendor: This weekend, Moscow's Kaspersky Lab was hacked.

A hacker, who identified himself only as Unu, said that he was able to break into a section of the company's brand-new U.S. support Web site by taking advantage of a flaw in the site's programming.

On a conference call with reporters, Kaspersky Senior Research Engineer Roel Schouwenberg said that while he believes that the hacker did not access any customer information such as e-mail addresses, the hack would hurt the company's image. "This is not good for any company, and especially a company dealing with security," he said. "This should not have happened, and we are now doing everything within our power to do the forensics on this case and to prevent this from ever happening again."

Schouwenberg blamed the breach on a Web programming flaw that was introduced in a Jan. 29 redesign of the support site, meaning that the bug was live on Kaspersky's site for about 10 days. "Something went wrong in our internal code reviewing process," he said.

This flaw left Kaspersky's support site vulnerable to what's known as a SQL injection attack, which could have given the hacker access to about 2,500 customer e-mail addresses and to perhaps 25,000 product activation codes.

In a SQL injection attack, the hacker takes advantage of bugs in Web programs that query databases. The point is to find a way to run commands within the databases and access information that would normally be protected.

Code on Kaspersky's Web site is typically subjected to an internal and external audit. Kaspersky has hired database expert David Litchfield to investigate the incident and expects to be able to report more on the hack within 24 hours, the company said.

In an e-mail interview, Litchfield said that he has done this type of investigation before. "Typically there are no problems with investigations of this type. Of course, an attacker can attempt to hide their tracks, which makes things more difficult -- but by no means impossible."

Unu notified Kaspersky of the bug via e-mail on Friday, and then one hour later hacked into the site. Kaspersky didn't see that e-mail until much later, but the company realized it had been hacked by around noon Eastern Time on Saturday, Schouwenberg said. Just 15 minutes later, Kaspersky reverted to an older version of its support site code, which did not contain the error.

Kaspersky believes that Unu is from Romania, but is not seeking legal action in the case. Romanian authorities have limited resources and are unlikely to investigate the incident further, Schouwenberg said in an e-mail.

Worse attacks have happened. In fact, the Kaspersky hack is "barely even worth mentioning" next to major security breaches, such as the recent hack that gave criminals access to systems at credit-card processor Heartland Payment Systems, said Paul Roberts, an analyst with The 451 Group. "But Kaspersky is a security company, " he said via instant message. "So there's a much bigger reputational risk here than with, say, some supermarket."

news.yahoo.com

Yahoo and IBM team up to offer businesses free data search tool

Yahoo and IBM jointly introduced free software that businesses could use to find information stored in their own computers or on the Internet.

IBM OmniFind Yahoo Edition was billed as a "no-cost, entry-level enterprise search product" and went up against offerings from Google and other competitors in a growing business data search market.

"Organizations of all sizes are faced with the problem of too much information residing in different locations and in different formats, making it nearly impossible to quickly extract meaning," said IBM general manager Ambuj Goyal.

world software news

Enterprise search systems typically cost thousands of dollars. Google has offerings selling for as much as 30,000 dollars (US) in what is considered the low end of the business market.

IBM already markets OmniFind versions for corporations. The free offering was tailored for small businesses and included Yahoo Search services.

The Yahoo-powered IBM offering can be downloaded for free and easily installed on existing computer hardware, according to the companies.

"This is a valuable tool for helping organizations improve employee productivity by enabling them to more quickly find needed information," Yahoo vice president Eckart Walther said in a release.

"By empowering customers and partners to quickly find information on the Web, we're also able to reduce their support costs."

OmniFind can handle as many as 500,000 pages per server and can scan documents in more than 30 languages, according to IBM.

news.yahoo.com
software news