This is a good time to remember to keep you Windows updated, but more than that to ensure you also keep your anti-virus updated, to take care of those problems that haven’t yet been patched by software vendors.

Don’t forget that Adobe also released a slew of critical patches last week in a drive to fix some of the more critical problems in Flash and Acrobat/Reader.

Andrew Lee
CTO, K7 Computing

The company will issue an update to fix a security flaw in the browser’s cross-site scripting (XSS) filter which, if left unfixed, would put users at risk of malicious software.

Microsoft said that the update will be released in June to fix the hole that researchers warned about at the Black Hat Europe conference in Barcelona last week. The researchers showed how problems with the filter could be used to inject malicious code on to sites including Google, Microsoft’s Bing search site and Twitter.

“The XSS Filter related Black Hat EU presentation discussed a vulnerability that was previously disclosed and addressed in the January security update to Internet Explorer (MS10-002),” David Ross wrote on the Microsoft Security Response Center blog.

“Like many security issues – take malware as an example – attack vectors are always a moving target.  The role of the browser maker is to do everything we can to keep people safe without them having to do a lot of extra work.”IE to us

Two security bulletins will be released on Tuesday, one for Microsoft Windows and one for Microsoft Office, fixing eight issues in total which are all rated ‘important’ by the software giant.

The affected operating systems include Windows XP, Vista and Windows 7 whilst various versions of Office, for both Windows and Mac, are also affected.

“We recommend that customers review the Advance Notification web page and prepare to deploy these bulletins as soon as possible,” said Jerry Bryant, senior security communications manager at Microsoft, in a blog post.

“To provide additional guidance for deployment prioritisation, customers should note that both bulletins will address issues that would require a user to open a specially crafted file. There are no network-based attack vectors.”

Bryant also reiterated that Microsoft will be cutting support for various versions of Windows XP, 2000 and Vista.

Windows XP SP2 will no longer be supported from July 13 2010, with those customers encouraged to upgrade to SP3 or Windows 7. Windows Vista RTM will not be supported after 13 July 2010, with support for Vista SP1 ending one year after that. SP2 will still be supported. Extended support for Windows 2000 will also be retired as of July 13, 2010, when the company will cease all updates for Windows 2000.

“A couple of months ago, I started including information about products that are reaching the end of their product lifecycle,” he added. “It is extremely important for customers to move to supported platforms because after the dates below, those products/service packs, will no longer receive security updates.”

Mundie claimed that because of the sheer scale of security threats online, users should have to complete training before they are allowed online.

The controversial comments came as Mundie spoke at the World Economic Forum in Davos, in which he proposed a three-tier system of authentication – for people, devices and applications.

The comments stressed that most users were unaware of online threats, with many unaware of scams such as phishing, advance fee fraud (419) scams, spyware and Trojans. Many users also fail to update their antivirus software on a regular basis.

He conceded that whilst this would mean some loss of anonymity for users online, people were accustomed to having to present identification in other areas of life and the internet should not be different.

“If you want to drive a car you have to have a license to say that you are capable of driving a car, the car has to pass a test to say it is fit to drive and you have to have insurance,” he said.

“People don’t understand the scale of criminal activity on the internet. Whether criminal, individual or nation states, the community is growing more sophisticated.”

After Microsoft admitted that it was a flaw in its browser that was exploited by hackers looking to launch an attack on Google systems, Microsoft will today (Thursday) take the rare step of releasing a critical security update early, with the update not due until February 9.

The update will be released at approximately 10am PST and comes after a number of high profile groups, including the governments of Australia, France and Germany, called for users to use alternative browsers to Internet Explorer, which has around 62.3% of the worldwide browser market. Following the announcement, both Mozilla Firefox and Opera, browsers which both claim user security as a selling point, saw notable spikes in the number of downloads.

“This is a standard cumulative update, accelerated from our regularly scheduled February release, for Internet Explorer with an aggregate severity rating of critical,” said Microsoft security programme manager Jerry Bryant.

“It addresses the vulnerability related to recent attacks against Google and a small subset of corporations, as well as several other vulnerabilities. Once applied, customers are protected against the known attacks that have been widely publicised.”

Microsoft have continued to refute claims that Internet Explorer is unsafe.

Microsoft, who typically release security updates in bulk on the second Tuesday of the month, will issue four updates for Microsoft Windows 2000, XP, Vista and Server editions 2003 and 2008 on November 10, three of which are considered to be “critical”.

All four of the updates for Windows will require a system restart once the download has completed.

Two updates are to be issued for Microsoft Office which will apply to both Windows and Apple Mac versions.

“Customers should plan a restart for the Windows bulletins,” said Jerry Bryant, security program manager for Microsoft Security Response Center in his blog.

“The Office bulletins may not require a restart if the components being updated are not in use.”

Last month, the software giant issued its biggest ever security update, aimed at fixing as many as 34 security vulnerabilities, mainly in Internet Explorer 8 and its latest operating system, Windows 7. Security flaws in Office, Silverlight and other tools were also affected.

The biggest update prior to that also came this year, with ten bulletins issued in June to fix 31 vulnerabilities.

Microsoft will host a webcast to address customer questions on these upcoming bulletins on November 11, 2009, at 11:00am Pacific Time (US & Canada). Computer users are also advised to run a virus scan their antivirus software prior to downloading the updates.

In the seventh biannual Microsoft Security Intelligence Report, the software giant claims that infections from worms have more than doubled between January and June 2009, although Trojans were still the biggest cause for concern. The company also highlighted a notable increase in scareware related infections, where customers are typically persuaded into purchasing bogus antivirus software.

The report claims to have taken extensive coverage of the market, as making use of Microsoft’s comprehensive footprint on consumer as well as corporate computers and the web. Data has also been taken from the company’s Bing search engine as well as various applications, including Live OneCare, Forefront Protection for Exchange cloud service, Malicious Software Removal Tool, and Windows Defender.

The report attributes much of the increase to the ‘Conficker‘ worm, also known as Downadup or Kido and less known ‘Taterf’.

The advice from Microsoft for users was to ensure that they kept an up-to-date antivirus software programme and to exercise caution whilst online.

“We’d recommend, in addition to automatic updates, firewalls and up-to-date anti-virus, that users never log into an account unless they’re on a machine they trust, and don’t download cracks or tips unless from a trusted server,” Cliff Evans, head of Microsoft UK told V3.co.uk.

The latest update, which like other Microsoft updates is being released on the second Tuesday of the month, will include thirteen security bulletins to fix 34 known flaws, predominantly closing a loophole exposed with the running of Internet Explorer 8 browser in Windows 7.

In particular, Microsoft have stated that the update will fix two critical loopholes, these being Vulnerabilities in SMB Could Allow Remote Code Execution (975497) and Vulnerabilities in the FTP Service in Internet Information Services (975191).

Flaws in Microsoft Office, Silverlight, Forefront, Developer Tools, and SQL Server will also be fixed by the new update.

The biggest update issued previously by Microsoft’s was released in June 2009, with 10 bulletins designed to tackle 31 vulnerabilities.

Most users will get the updates automatically but download links are also available on Microsoft’s security pages. Once applied to a PC, the machine will need to be re-started before the fixes take effect.

Users are recommended to perform a virus scan with their antivirus software prior to downloading the updates, which will be issued at 10:00am PDT (UTC -8).

Microsoft has launched law suits against five unnamed individuals who they say have been attacking websites by placing ads designed to harm their customers.

The advertisements typically contain code that is designed to exploit loopholes in Microsoft products, typically the Windows operating system and the company’s Internet Explorer browser. This allows hackers to then obtain control of a user’s PC, usually for the purposes of distributing spam. Other ads have been known to direct users to sites containing malicious software, such as fake antivirus software.

The individuals concerned are anonymous names connected with businesses including Direct Ad, ITmeter INC, qiweroqw.com, ote2008.info and Soft Solutions.

Tim Cranton, associate general counsel with Microsoft, wrote in a blog post: “Microsoft works vigilantly, using both technology and the law, to fight illegal activity that undermines people’s trust in the Internet and online services.

“Today’s filings build on other recent actions we’ve taken against click fraud and instant messaging spam”, he added.

The software giant also advised consumers to take steps to protect themselves from malicious attacks by updating their antivirus software and by adopting a more cautious approach when divulging personal details to unknown sites.

A malicious software removal tool from the software giant has removed malware from a staggering 2.2m PC’s in the USA in August, more than the other nine top countries combined.

A total of 8,750,628 potential threats have been removed by the tool from 2,183,166 infected machines last month, equivalent to just over four individual threats per PC running the Microsoft malware removal tool.

By comparison, second-place in the report was China, with 1,085,140 threats removed from just 383,378 machines, equivalent to 2.83 threats per PC. In total, countries ranked 2^nd to 10^th in the report recorded an aggregate of 1,874,174 infected PCs.

Unsurprisingly, English speaking countries had amongst the highest threats-to-machines ratio, with computers in the UK having an average of 3.88 malware threats and computers in Canada having an average of 3.62 threats. Mexico was also high in this regard, with 3.8 threats per PC.

“The US is at the top of this list as it is by default the top target for most of the malicious code out there,” Marian Radu and Scott Wu, two members of the Microsoft Malware Protection Center wrote on the company’s blog. “China and Brazil are actually a totally different story. While China is a top target for online games password stealers and the black market associated with it, Brazil is a prime goal for another breed of password stealers: those targeting bank accounts. Given these locations, it should come as no surprise that the top prevalent threats are what they are.”

Microsoft also revealed that the worm Win32/FakeRean, a form of malware that poses as fake antivirus software, was removed from 162,328 machines, despite only being added to the MMPC earlier in the month.