Security Outlook Poor as 2008 Winds to Close

December 16, 2008 Alex Woodie

The state of IT security appears to be on the decline as 2008 comes to a merciful close. Microsoft just issued a massive number of patches one week ago, but it’s the one patch that wasn’t issued–for a zero-day flaw discovered in IE 7 just days before–that ruins the batch. Meanwhile, the global economic crises plods on as cyber pirates continue to ramp up their online schemes–events which have combined to form what IBM labeled a “perfect storm” of security threats. Happy holidays!

Microsoft released eight security patches to resolve a total of 28 vulnerabilities last week, the final monthly “Patch Tuesday” event of the year. The fixes addressed many flaws across Microsoft products, including IE and Office, and will help to protect customers from a flood of new phishing and data mining attempts. But the fixes did nothing to stop a potentially disastrous new zero-day flaw discovered in Internet Explorer 7.

Details of the new flaw, which involve IE’s handling of XML, were released just a few days before the December Patch Tuesday event, and appeared to be timed to coincide with the release of the patches. The first active exploits of the IE7 flaw were reported last Monday, according to ScanSafe, a company that delivers security protection via software as a service (SaaS).

IT organizations should brace for the worst as a result of the flaw, says Mary Landesman, senior security researcher at ScanSafe. “Zero-day exploits involving any widely used software are particularly concerning. [But] when it impacts a browser as widely used as Internet Explorer, it can have serious implications,” she says. “Predictably, attackers were very quick to add the IE7 exploit to their tool kit and we anticipate these attacks will escalate over the coming weeks.”

Whereas much malware was distributed via e-mail previously, 2008 saw an unprecedented increase in attacks on Web sites, particularly new social networking “Web 2.0” Web sites, according to an end-of-year security report issued by Symantec‘s MessageLabs subsidiary.

According to MessageLabs, the daily number of new Web sites containing malware rose from 1,068 in January to its peak at 5,424 in November. Many of these sites were compromised through SQL injection techniques, and many of the attacks targeted the new wave of popular social networking sites, says Mark Sunner, chief security analyst for MessageLabs.

“Web 2.0 offers endless opportunities to scammers for distributing their malware,” Sunner said. “Web 2.0 thrives on user-generated content, as do the spammers. The ability to adapt to new mediums and upload enticing content as ‘snake oil’ to persuade an information-hungry user to activate it, is one of the cybercriminals’ strongest talents, and has made them successful in transforming deception into a fully scalable business model within the underground shadow economy.”

Meanwhile, IBM announced that it would bolster the security services it offers through its Internet Security Systems subsidiary to thwart what it views as a perfect storm of security threats.

Statistics from the X-Force research arm of ISS points to a worsening of the IT security across the globe since August. Network and Web-based security events over the last 120 days have increased 30 percent at organizations that utilize ISS services. In response, ISS has seen a 40 percent increase in use of ISS’ virtual operations centers among its clients, which shows that ISS customers are worried.

“We are currently in a perfect storm of security threats as businesses are cutting costs, insider threats are rising, and cybercriminals are using the ensuing confusion to create opportunities for themselves,” says Val Rahmani, ISS general manager.

IBM says it will take several steps to respond to these threats. These include a new identity and access management service to be launched next year (weakness in identity management and access is responsible to 42 percent of vulnerabilities, IBM says); a new reseller program that allows partners to resell ISS security services; and free security infrastructure assessments.