SPECIAL REPORT
Patch Tuesday: 12 Down, Vista to Go

Microsoft (Nasdaq: MSFT) on Tuesday issued 12 software patches, six of which covered vulnerabilities the company designated as "critical." The patches were part of Microsoft's regular Patch Tuesday security bulletin.

TechNewsWorld spoke with Ashar Aziz, CEO and founder of network malware security firm FireEye, to find out how dangerous these vulnerabilities were as well as what to expect in future Patch Tuesdays now that Vista is on the market.

TechNewsWorld: Twelve patches, one which fixed a vulnerability in some of Microsoft's security applications -- how bad, exactly, were these vulnerabilities?

Ashar Aziz: These are very serious flaws that allow remote code exploitation on the processing of PDF or Word files. These are just the kinds of flaws that permit targeted attacks to penetrate into corporate networks, since PDF and Word files are typically permitted as attachments past corporate e-mail gateways.

These vulnerabilities are extremely dangerous to corporations since they enable targeted attacks that bypass traditional security filters and firewalls. Because common file types like PDF are usually allowed through security scanners and firewalls, malicious parties can establish a beachhead in the enterprise network and utilize remote code execution to build botnets.

TNW: Corporations are clearly the target of hackers these days. Do you think their customers are at greater risk as a result?

Aziz: Yes, absolutely. In addition to an increase in malicious software attacks, the threat is becoming increasingly more dangerous to corporations and their customers alike. Malware has evolved from loud and infectious worms -- often intended to grab headlines -- into stealthy and monetized crimeware aimed at discretely stealing corporate assets without detection. In many cases, crimeware is out to get sensitive customer data, which could lead to serious reputation damage, especially for a retailer. Look at what TJX and its TJ Maxx stores have recently experienced.

TNW: Do you foresee a day when the situation improves?

Aziz: Patch Tuesday is hardly a surprise [anymore] given how crimeware is escalating and becoming increasingly difficult to prevent. As a result, we can expect to see even more patches in the future.

TNW: Are there any additional security measures companies can take?

Aziz: Software patches are a good first step, but they are essentially just a band-aid on a wound. The good news is that with a patch, the organization knows about the threat and can work to repair damage. But this is the mere tip of a much larger iceberg. What about the threats that have not yet been detected? How does an organization protect against stealthy crimeware that flies under the radar? Patches are just one line of defense, and hardly enough given the damage that crimeware can cause today. Companies must explore solutions that detect and capture malware before it even enters the network.

On patches, the industry talks about zero-day protection as if this will adequately address a security threat such as a malicious bot aimed at mining sensitive customer data. But zero-day starts when the patch is issued to the world. What about that dangerous window from when the crimeware was first introduced until the patch was available. That window of vulnerability is typically over 12 months and often even up to three years or more. Organizations need a line of defense to close that window if they want true zero-day protection. Patches alone won't suffice.

TNW: What do you think of Vista's security measures?

Aziz: It is not uncommon to see a rash of security patches for a new product, and indeed we are starting to see them for Windows Vista. Vista is safer than previous releases, but its absolute security is still in question. It is difficult to construct large, complex systems that are inherently secure using current generation software development methodologies. We believe that serious security flaws will be discovered in Vista, although the bar to find such flaws has been raised higher than in previous releases. You can almost expect that for a new product. But we are still seeing patches for products that have been on the market for many years, including Windows XP, Office and Internet Explorer.

There are over 100 million lines of program code in Vista. Even if we assumed an extremely low rate of security bugs, the sheer complexity of Vista means there will be security bugs. A security bug rate of 0.001 percent would mean there are over 1,000 security bugs yet undiscovered in Vista.

Vista includes a new networking stack. Historically, networking code has been the source of many security holes. New code that has not been field-tested for years is highly likely to contain security flaws, despite the best efforts of its authors. Again, this underscores the real threat -- stealthy crimeware that goes undetected for years. Many are saying that Vista is not secure. Patches and additional security features for Vista will help, but organizations must approach this at the network level, not just at the operating system or application.