Year in Review: Bugs/flaws

Security experts coined the term "zero-day Wednesdays" this year, most appropriately.

Cybercrooks found that they could take advantage of Microsoft's monthly patch cycle by timing new attacks right after the software maker released its fixes. Microsoft's patch day is on the second Tuesday of each month, and the company doesn't break its cycle unless an attack has a widespread impact.

Flaws in Office applications especially are favored by the bad guys. Microsoft and security firms repeatedly this year have had to warn of new, small-scale attacks that exploited yet-to-be-plugged security holes in applications such as Word, PowerPoint and Excel.

Some of these hardly visible attacks are the most dangerous ones, particularly for businesses. Widespread worms, viruses or Trojan horses typically get caught by security tools. The small-scale attacks may go under the radar and expose organizations to spy incidents and other unwelcome intrusions. Most experts predict an increase in these inconspicuous attacks.

Microsoft did break its patch cycle twice this year, rushing out fixes for flaws that were being exploited to drop malicious software onto Windows PCs. These attacks targeted consumers and attempted to install spyware and remote-control tools on vulnerable systems when people visited a malicious Web site or clicked on a malicious link.

Critics of Microsoft's patch process provided temporary fixes on both occasions. Experts typically don't recommend these third-party fixes, but in an unusual move some did advise users to apply an unofficial patch developed by European programmer Ilfak Guilfanov for a Windows flaw that surfaced in late 2005 and was fixed by Microsoft on January 5.

Microsoft was not the only one hit by the zero-day blues. Other software makers, including Apple Computer, Oracle and Mozilla, also had to deal with public releases of flaws before they could provide their customers with a fix. Bug hunters repeatedly taunted software makers advocating "responsible disclosure" of vulnerabilities.

Malicious software that targets Mac OS X systems is rare and has been limited largely to proof-of-concept code, instead of actual attacks. However, Apple has had a rough year when it comes to security. Hackers are increasingly targeting the Mac, which experts have said is not impervious to attacks.

In February, a pair of worms that target Mac OS X were discovered, along with an easily exploitable, severe security flaw. The vulnerability exposed Mac users to risks that are more familiar to Windows owners: the installation of malicious code through a bad Web site or e-mail. Apple patched the flaw, but had to redo the patch twice because of installation problems.

Apple stirred controversy at Black Hat briefings this year when it critiqued two security researchers for saying Macs were vulnerable to Wi-Fi hijacks. Since then, however, Apple has twice released fixes for security flaws in its AirPort Wi-Fi system, which, if exploited, could allow Macs to be compromised by sending malicious packets over wireless networks.

Still, flaws in Microsoft's software appear to be the most popular to exploit. That's something experts predict might change with Windows Vista, which Microsoft has touted as the most secure version of Windows yet. Hackers may shift their focus to applications that run on the Windows desktop, such as instant-messaging programs and security tools.

--Joris Evers

2006 Highlights

Microsoft pushes out Windows patch ahead of time

Flaw that has spawned several attacks gets fixed Thursday, after the company comes under criticism.

New Trojans plunder bank accounts

Bank-stealing Trojans wait for victims to sign onto their bank's Web site and then steal money.

Is Mac OS as safe as ever?

Trio of threats suggest hackers are now eyeing the previously ignored software. Should fans worry?

LAMP lights the way in open-source security

U.S. government-sponsored analysis finds that the most popular open-source software is also the most free of bugs.

Tribble on Apple's security troubles

When it comes to patches, Mac OS veteran Bud Tribble says the company doesn't believe in schedules or severity rankings.

Zero-day Word flaw used in attack

Symantec warns of unpatched hole in Microsoft Word that was used in a bid to compromise Japanese government PCs.

Online threats outpacing law crackdowns

Phishing and botnet threats are getting more advanced and show no sign of diminishing, despite efforts by law enforcement.

Breaking into a laptop via Wi-Fi

Flaws in software that runs wireless-networking hardware could let attackers take over PCs, including Macs, Black Hat warns.

Mozilla looks to Microsoft for security

Window Snyder, formerly of Microsoft, now heads up security at the company best known for its open-source Firefox Web browser.

A banner year for security bugs

The number of vulnerabilities found in software will jump this year, experts say--but there's a silver lining.

The future of malware: Trojan horses

Targeted attacks used for industrial espionage have become the nightmare scenario for big companies, researchers say.

Zombies try to blend in with the crowd

Hackers aim to make networks of hijacked computers go unnoticed by merging their communications with common Web traffic.

Zombies continue to chase Windows PCs

Of 4 million Windows PCs found to be infected with malicious software, half were running malicious remote control software.

Attack code out for new Apple Wi-Fi flaw

Researchers rap Apple for mishandling flaws and kick off a "month of kernel bugs" by publishing an exploit for a new Mac Wi-Fi bug.

Topics

Topics

• Web 2.0
• Photos
• Google
• Television
• Apple
• Open source
• Enterprise software
• Newsmakers
• Microsoft
• Privacy/surveillance
• Mobile communications
• Games
• Social networking
• Net neutrality
• Internet video
• Gadgets
• Chips
• Data security
• Clean tech
• Bugs/flaws
• Science
• PCs/servers
• Broadband
• Perspectives