Skip to content
 
Tips for Tech

Tech Alert Briefing for 2/15/2008

February 15, 2008
Update covering February 8 - 14, 2008

Welcome to Tech Talk! In this edition, BOL Gurus John Burnett and Andy Zavoina write about patches (the ones that work and those that don't), malicious servers looking to spoof your customers and more.


Andy


John


You'll read about:

  • VIP (Very Important Patches) from Microsoft
  • MS Works Hackers on the Attack
  • Firefox Issues Patches
  • One Report that the Firefox Fix Isn't
  • An Adobe Update - Get it Soon for Security
  • Vista SP1 Performance Results
  • An Anti-Virus Company Getting Sick
  • Mac OS Update
  • BlackBerry Going Black for 3 Hours
  • 68,000 Malicious Servers Waiting for Your Customers
  • Problems with Encrypting Backups
  • Replacing PINs with New Security
  • Secure Text Messaging Possibly Opening a New Channel to Customers
  • US-CERT's latest vulnerabilities list

Get the details below.
Important Patch Tuesday Updates
Microsoft's monthly update process is pushing out fixes for as many as 17 security flaws, including four critical flaws in Internet Explorer. Tuesday's updates also addressed weaknesses in MS Office and Works, Windows 2000 and Vista, and MS Office 2004 for Macs. The Washington Post's Security Fix has details.

But Attack Code for MS Works Available
Sooner rather than later should be the timeframe for installing vital patches from Microsoft and other software updates. Just one day after Microsoft made their patches available for February, hackers posted the code to exploit one of the flaws in Works. By opening a malicious document you can be infected. This doesn't seem to be the "attack of choice" today, but the threat is real. Read more at Networkworld.

Firefox Fixes Flaws
If Firefox is your a browser you use, check the version you have installed to make sure it is the most current.Ten patches, including three critcal fixes, were released by Firefox last week, bringing the current version up to 2.0.0.12. Networkworld has this story.

But Firefox Patches May Not be a Complete Fix
Last week Firefox released a patch that was intended to fix ten problems, one of which was critical. Soon after the patch was released a Dutch programmer claimed the critical bug was still a problem and he posted the proof-of-concept code to prove his point. PCWorld has this story.

Acrobat Attacks Accelerate
In last week's TechTalk, we noted that Adobe had released an update covering more than two dozen flaws. It now appears that some of those flaws have been exploited since January for malware attacks on PCs with either Adobe Acrobat or Acrobat Reader installed, and the attacks are intensifying, apparently to infect as many PCs as possible before the updates are installed. According to the InfoWorld article, if your users haven't already upgraded to version 8.1.2 of Acrobat or Reader, they should do so as soon as possible.

Vista SP1 Test Results
PCWorld has updated a story on PC performance results after Vista Service Pack 1 is installed. In some cases, recurring tasks are faster. But not everything gets a speed boost from SP1. Some tasks could actually take longer. PCWorld has the details, and a promise to keep testing.

Viral Embarrassment
AvSoft Technologies received an unexpected shot from hackers.AvSoft, an Indian anti virus program vendor with two popular anti virus products on the market, SmartCOP and Smartdog, was hit with an iFrame injection. That's bitter medicine for a company providing anti virus protection. Read about it in Networkworld.

Jargon Watch: iFrame From inline frame, this is an HTML element that allows another HTML document to be embedded inside the main document. iFrames are often used to insert content, such as an advertisement, from another website into the current page. The embedded page can use HTML anchors or JavaScripts, making interactive applications possible.

Apple MacUpdate
Early this week, Apple released a significant security update for users of Mac OS X version 10.4, together with an upgrade to version 10.5.2. US-CERT has a brief description of the update, and a link to Apple's release article.

BlackBerry Disconnects Again
Research in Motion Ltd. blames a problem with a system upgrade for Monday's three-hour service outage. The interruption in delivery of email and web-browsing service was RIM's second major service break in less than a year. According to an article at washingtonpost.com, RIM did a better job of warning its customer base of the break this time. The outage prompted a NetworkWorld "Nearpoints" blog entry about dependence on email and the state of email service today.

Invisible Phish
Three researchers from Georgia Tech and one from Google presented a study, "Corrupted DNS Resolution Paths," to the Network and Distributed System Security Symposium in San Diego. Simple code in a malicious website or email can alter users' registry settings and send them to a malicious DNS server. They estimate there are 68,000 of these malicious servers now. Internet banking customers, for example, wouldn't know they are at a fictitious site and would likely enter logon information that would be captured and used later to withdraw funds. DNS inventor Paul Mockapetris warns that its only a matter of time before this exploit leads to significant financial losses. Read the details on this story at Techworld.

Encrypting Backups Solves Problems, Right?
IBM Internet Security Systems, Juniper, nCipher and other experts warn that encrypting stored data may open an organization to problems. How? Find out in this Techworld article.

Is "Undercover" Better Security?
A new security system is being developed to replace the PIN. A security researcher at Carnegie Mellon University and two graduate students associated with Sharp and Mitsubishi are using a trackball and five color-coded keys instead of a PIN. The security tests show that shoulder surfing is greatly reduced, but how much more time is needed for this improved process? You'll have to read Networkworld for the answers.

Dial Up Secure TXT Messaging
Many of today's and most of tomorrow's banking customers are familiar with text messaging on their cell phones. Banks are considering whether to use SMS (short message service) text messages to send customer alerts about rates or account transactions, but current SMS applications aren't secure enough. CellTrust says it has a product that may help: SecureSMS. Read more on this story at PCWorld.

109 Make Latest US-CERT List
The US-CERT Vulnerability Summary for the Week of February 4, 2008, lists 55 High, 49 Medium and 5 Low severity weaknesses. High severity security faults were listed for Adobe Acrobat and Reader, Apple iPhoto, and HP, IBM, Sun and Symantec products, among others.


Subscribe to Tech Talk and BOL Tech Advisories
In the Banker Store
CD ROM Training
Implementing the Red Flag Guidelines
Video Training
FACTA: Responding to Identity Theft
CD ROM Training
Patch & Vulnerability ManagementArchived Articles on Technology and eBankingYou have access to archived Tech Talk pages and Tech Alerts on BankersOnline's Technology & eBanking Archive page.
Plus, you'll find the latest technology and eBanking articles and guru Q&As there, too.You'll find many more related articles in our InfoVault.

First published on 02/14/2008

Briefing type: 
Tech Talk

Report a problem with this page

Banker Tools View All

A collection of useful resources for various areas of the bank which have been developed by members of the BankersOnline staff or have been created and contributed by users of the BankersOnline site.

Banker Tools

Penalties View All

Search Briefings

Briefing Archives