A recap of the past week in IT security news includes vulnerability reports from Microsoft, new research on the impact of DDoS attacks on free speech and more.
The past week in security featured a round of new security warnings from
Microsoft, security research and a feud between neighbors that turned
into a miniature cyber-war.
Microsoft issued an advisory Dec. 22 for a security
Internet Explorer 6, 7 and 8.
According to Microsoft, the vulnerability exists due to the creation of
uninitialized memory during a CSS function
within Internet Explorer. Under certain conditions, it is possible for an
attacker to leverage the memory to execute code remotely.
"An attacker could host a specially crafted Web site that is designed
to exploit this vulnerability through Internet Explorer and then convince a
user to view the Web site," Microsoft's advisory warns.
In addition, there were reports of vulnerabilities
the Microsoft WMI Administrative
Tools WMI Object Viewer ActiveX Control as
well as a denial-of-service issue affecting IIS FTP 7.5.
Microsoft also dealt with a bit of fallout from a configuration error
impacting users of its cloud-based Business Productivity Online Suite (BPOS).
BPOS is a set of messaging and collaboration tools that includes Microsoft
Exchange Online, Microsoft SharePoint Online, Microsoft Office
Communications Online and Office Live Meeting. According to Microsoft, the
configuration issue exposed information in customers' Offline Address Books, a
feature in Exchange that permits Outlook users to access copies of e-mail
addresses when users are not connected to Exchange.
"We take our responsibility to safeguard customer data very seriously,
and while no customer action is required, we have notified all our Business
Productivity Online Suite-Standard customers about this issue," said Clint
Patterson, Microsoft's director of BPOS Communications, in a statement.
Away from the world of Microsoft, a beef
ended with the guilty plea of Vincent Ardolf of Blaine,
Minn. He stopped his trial Dec. 17 and
confessed to hacking into his neighbor's wireless Internet connection, posing
as him as he fired off an e-mail threatening U.S. Vice President Joseph Biden.
Ardolf also admitted that he sent sexual e-mails to the neighbor's co-workers,
including one with child pornography.
When he is sentenced, Ardolf faces a maximum penalty of 20 years in prison
on the child porn distribution charge; 10 years on the child porn possession
charge; and five years on both the unauthorized access to a computer and
threats to the vice president charges. He also faces a mandatory two-year
minimum on each count of aggravated identity theft.
News surfaced during the week that attackers
hit the Spamhaus Project
with a distributed denial-of-service (DDoS) attack
Dec.18 in an apparent retaliation for a warning it issued earlier this month
about wikileaks.info, which it said was under control of a Russian hosting
provider known for hosting malware and phishing attacks. A few days later,
research from Harvard University
was being used as a weapon against media sites and human rights
to the report (PDF)
, 280 independent media and human-rights
Websites were hit with 140 attacks between September 2009 and August 2010.
Since 1998, the researchers tallied reports of 329 different attacks against
more than 815 sites, figures they estimate only account for a small portion of
the actual attacks.
Of course, botnets aren't just used for DDoS-they also a used heavily for
spam and malware attacks. But according to security researchers, this holiday
season has seen something of a respite in the amount of Christmas-themed
. M86 Security Labs told eWEEK Dec. 21 that Christmas holiday spam
accounted for less than 1 percent of all the spam making the rounds on the
"Holiday/Xmas spam is a non-event this year as far as activity from
major botnets is concerned," said Phil Hay, senior threat analyst at M86.
"The major botnets that are left are currently spamming their usual
affiliate programs in a typical way, mostly centered around drugs and replicas,"
According to researchers at New York University (NYU), spammers are however
making use of Amazon's Mechanical Turk service in a big way. Mechanical Turk is
a crowdsourcing Internet marketplace that allows programmers to coordinate the
use of human intelligence tasks (HITs). In
, the researchers reported roughly 41 percent of all HITs posted
by requesters who joined the marketplace between September and October were
eWEEK closed out the week with some predictions for the security
landscape in 2011