IE Zero-Day, EU Online Privacy in Security News

The past week in IT security news featured headlines about the European Commission's plans to protect online privacy, reports of an Internet Explorer zero-day attack and much more.

Online privacy was once again in the spotlight this past week when the European Commission announced it is looking to tighten data protection rules for the Web.

According to the commission, the rules should require that businesses clearly inform customers how, why, by whom and for how long their data is collected and used. In addition, the rules should reduce discrepancies in European Union (EU) data protection rules and permit people to give their informed consent to the processing of their personal data.

The commission is accepting public input on the rules through Jan. 15 via its Website. Meanwhile, Facebook was in the news again in regard to the sharing of user IDs (UIDs). This time, it was because the site announced that application developers caught selling UIDs had been suspended.

According to Facebook, less than a dozen application developers were involved, and none was responsible for any of the 10 most popular apps on the site. In a blog post, Facebook engineer Mike Vernal wrote that the company is "instituting a 6-month full moratorium on (the developers' access) to Facebook communication channels, and we will require these developers to submit their data practices to an audit in the future to confirm that they are in compliance with our policies.

"While we determined that no private user data was sold and confirmed that transfer of these UIDs did not give access to any private data, this violation of our policy is something we take seriously," he blogged.

Application security made its way into the news as well, when viaForensics highlighted a number of vulnerable mobile banking applications from companies such as PayPal, TD Ameritrade and Bank of America. The situation highlighted the fact that developers face some unique security challenges when creating mobile applications, security pros said.

"The mobile device itself cannot be considered to be trusted; devices are lost and stolen all the time," Richard Wang, U.S. manager of SophosLabs, told eWEEK. "I think these incidents show that the comparative lack of experience of mobile developers when it comes to security considerations [such as] storing usernames and passwords in plain text on the device is a rookie mistake."

Malware developers think about security as well-albeit for a different purpose, as highlighted here in a discussion of some of the techniques attackers use to fight back against researchers and rivals.

They also think about new vulnerabilities, as exemplified by the appearance of a new Internet Explorer zero-day attack. Microsoft issued an advisory on the issue Nov. 3, after researchers at Symantec noticed an attack exploiting the vulnerability to infect users with a backdoor Trojan known as Pirpi. The vulnerability impacts IE 6, 7 and 8, though there are mitigating factors detailed in the advisory.

According to Microsoft's pre-Patch Tuesday notification advisory, the IE bug is not on the agenda to be fixed Nov. 9. However, the company does have patches slated for Microsoft Office and Forefront Unified Access Gateway (UAG). Of the three security bulletins (two for Office, one for UAG), two are rated "Important" while the third, which affects Microsoft Office, is rated "Critical."