Microsoft to release only two OS updates on May's Patch Tuesday
May 7, 2011
Late Friday, Microsoft said that it plans to release only two operating system (OS) updates during the May edition of its regular Patch Tuesday at around 1.30 PM EST, on May 10.
Only one of the two patch bulletins due to be published on May 10 covers a critical OS update, in sharp contrast to the record-breaking crop of 17 bulletins addressing no less than 64 security vulnerabilities that were published by Microsoft on April 12.
The critical update in May's schedule involves an unspecified security hole in Windows, but only affects Windows Server 2003 and Windows Server 2008.
The second bulletin – rated important – means that Office XP, 2003, 2007 and 2004 for Mac will need updating.
The latest version of Microsoft's application suite is not affected by this update, however.
Despite this month's lighter patch update, Internet security experts urge Windows system administrators not to dismiss the updates as unimportant.
"Both bulletins are specifically targeted at remote code-execution vulnerabilities, so IT administrators should track them closely and address them quickly," said Wolfgang Kandek, CTO at vulnerability scanning services firm Qualys.
In other Internet security news
As an Internet security penetration tester hired to legally hack into the digital fortresses of Fortune 1000 casinos, banks and energy companies, Kevin Finisterre has hacked electronic cash boxes, geologic-survey equipment and a few utility stations.
But one of his most unusual hacking attempts came during a recent assignment, testing the security of a US-based municipal police department. After scanning several IP addresses used by the city, he soon discovered they connected directly into a Linux device carried in police cruisers.
Using little more than FTP and telnet commands, he then tapped into a digital video recorder used to record and stream audio and video captured from gear mounted on the police cruiser's dashboard.
He was shocked by the resulting live feed that eventually appeared on his computer screen. “There was a police officer in his vehicle heading somewhere in traffic in the middle of the day,” said Finisterre, who is principal of security consultancy Digital Munition. “He was clearly trying to respond to an incident or go where he was told to go, in a hurry, and I was able to see this in real time.”
The account underscores the overlooked risks that come with technology designed to give authorities minute-by-minute situational awareness about the emergencies to which their officers are responding to on any given day.
And while real-time audio and video feeds from cars often provide police senior officials with crucial and relevant information about what's happening during traffic inquiries, the devices often make that intelligence available to anyone with a standard Internet connection-- and that's where all the issues begin. Should'nt that information be kept confidential at all times?
In Finisterre's observations, he was able not only to tap the live feeds coming from the two separate cameras mounted on the police cruiser, but also to control the hard drive of the DVR. Using default passwords that were hardcoded into the DVR's FTP server and disclosed in support manuals, he was able to upload, download, and even delete files that stored months' worth of video and audio feeds.
The ability for civilians to secretly spy on police officers responding to emergency and 911 calls could have serious consequences for their own safety and the safety of the public at large. Worse, allowing unauthorized people to view and alter video stored on cruisers could also seriously compromise court cases that rely on the DVRs for legal evidence during a crime, bank robbery or drug trafficking.
“We had very adequately proved the point that we could access the hard drive on the DVR unit and clearly see through the eyes of the camera and hear through the microphones in the car, which was more than enough to let them know that there are things we need to look at on their end to get this stuff cleaned up,” Finisterre said.
The police cruiser that Finisterre was successful in penetrating from a city he declined to name was equipped with a real-time communications appliance known as the Rocket and provided by Georgia-based Utility Inc. The police department was using the appliance to connect laptops, DVRs and other mobile devices carried in vehicles, to the city's computer systems.
But while no one knew from the city, the Rocket was making those internal resources available over public IP addresses that anyone could tap into.
Indeed, when Finisterre first came upon those IP addresses, he had no idea what was behind them. An Nmap scan revealed the devices were running what appeared to be an outdated version of Linux that left open ports used for several services, including FTP and Telnet utilities.
In other Internet security news
Computer scientists say they have developed specialized software that hides sensitive data on a hard drive and without using encryption technology by controlling the precise disk locations containing the file's data fragments on the drive.
The software, which the academic researchers said they would release as open-source, makes use of steganography, or the ancient art of hiding secret information but in plain sight.
The technique has long been employed to keep sensitive data out of the hands of adversaries. The use of encryption, by contrast, is easy to detect, tipping off adversaries that a hard drive or other piece of media contains information considered sensitive and valuable.
The security software ensures that individual disk clusters that store the critical data fragments are positioned in a way predetermined by their own code. A person who later wants to read the sensitive data uses the same application to reassemble the file.
The scientists say their software makes it possible to store a 20-megabyte message on a 160-gigabyte portable hard drive.
“We have presented a unique data security mechanism, a file system-based covert channel which allows a computer user to evade disk forensics by securely hiding data in a removable or permanent mass storage device,” the researchers wrote in their brief, titled "Designing a cluster-based covert channel to evade disk investigation and forensics".
“Data is completely hidden in a manner that an investigator is unable to positively prove the existence of hidden sensitive information.”
The researchers, from the University of Southern California in Los Angeles and the National University of Science and Technology in Islamabad, Pakistan, said that the technique may cause only small performance degradations.
In certain cases, the approach requires the data to be hidden through the use of a secret password shared between the sender and recipient of the data.
You can link to the Internet Security web site as much as you like.