From Microsoft and Apple security updates to the sentencing of the man who hacked former vice presidential candidate Sarah Palin’s e-mail, there was no shortage of news this past week in security.
In a relatively small Patch Tuesday update, Microsoft released three security bulletins to cover 11 vulnerabilities in Microsoft Forefront Unified Access Gateway and Office products. The most serious of the bulletins is MS10-087, which received Microsoft’s highest rating of “Critical.”
“The bulletin is rated Critical for Office 2007 and Office 2010 due to a preview pane vector in Outlook that could trigger the vulnerability when a customer views a specially crafted malicious RTF (Rich Text Format) file,” blogged Jerry Bryant, group manager of response communications for Microsoft Security Response Center, on Nov. 9. “The update also addresses an Office vector for the vulnerability described in Security Advisory 2269637, which has been referred to as ‘DLL Preloading’ and ‘Binary planting.'”
Rival OS vendor Apple came out with a much larger update of its own later in the week, patching more than 130 security issues in Mac OS X. Users of Symantec’s PGP Whole Disk Encryption product who downloaded the update ran into problems, however. The Apple update, Symantec explained, included a new version of the boot.efi file that overwrites the previous edition used by the encryption product. As a result, users found themselves locked out of their computers.
“If the update to OS X 10.6.5 has already been made and the machine fails to boot, the data on the machine is not lost,” Symantec told eWEEK. “The system can be restored using the PGP Recovery CD. Instructions can be found in this Knowledgebase Article.“
Meanwhile, attackers continued to target the recently disclosed Internet Explorer zero-day with new malware. But the week also closed with some news about a familiar name in the security community-Koobface. In a new paper released by Information Warfare Monitor, a researcher took a long look at how the Koobface botnet managed to make $2 million between June 2009 and June 2010.
Elsewhere in the world of attacks, David Kernell, the man convicted of hacking Palin’s personal Yahoo account during the 2008 presidential campaign, was sentenced Friday to a year and a day in federal custody. Kernell was found guilty in April of breaking into Palin’s account by abusing Yahoo’s password recovery feature. He then posted screenshots of the account online.
Also in the realm of e-mail security, Microsoft added the option to have always-on HTTPS encryption to Windows Live Hotmail. The announcement followed in the footsteps of a move by Google, which turned on persistent HTTPS by default in Gmail earlier this year. Microsoft’s decision also builds on recent changes meant to bolster security, including the addition of new “proofs” for user authentication.