News

The web is indeed becoming a dangerous place. These days, your PC could become infected with malware or vulnerable to a hacker attack just by innocently browsing a website or opening an email. Last July 14th, Microsoft released six bulletins with fixes for at least nine known security vulnerabilities that put users at risk in a range of Microsoft products. Many of the vulnerabilities, if not patched, can allow “remote code execution” or allow a hacker or malicious software to take over your PC and run unauthorized commands. ZDNet’s Ryan Naraine has posted a helpful summary of the released fixes: MS09-029 : This update covers two privately reported vulnerabilities in the Microsoft Windows component Embedded OpenType (EOT) Font Engine, which could allow remote code execution. Rated “critical” for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. MS09-028 : This update fixes three separate vulnerabilities ( one publicly disclosed and under attack! ) in Microsoft DirectShow, which could allow remote code execution if a user opens a specially-crafted QuickTime media file. MS09-032 : This update resolves a privately reported vulnerability in Microsoft Video ActiveX Control. The vulnerability could allow remote code execution if a user uses Internet Explorer to view a specially-crafted Web page that uses the ActiveX control . This vulnerability is currently being exploited in the wild! Rated “critical” for all supported editions of Windows XP and “moderate” for all supported editions of Windows Server 2003. Some of the vulnerabilities, notably one in Microsoft Office Web Components, do not yet have a patch. An attacker who successfully exploits this vulnerability could potentially gain the same user rights as a local user, allowing the attacker to modify or remove files on the PC remotely. This could potentially happen simply by using Internet Explorer to visit a website. A workaround exists by downloading a free utility from Microsoft called FixIt , which prevents the Microsoft Office Web Components from running in Internet Explorer. Users, as always, are advised to immediately download the updates and utilities, or use Microsoft’s Windows Update service. If you need help installing the patches or workarounds, or if you feel your PCs are at risk, contact us immediately. Related articles: Microsoft Security Advisory 972890 Released Microsoft warns of Internet Explorer security hole Microsoft issues patches, including one for IE exploit Internet Explorer’s ActiveX Security Mitigations in Use Microsoft Warns of Security Hole

The National Cyber Security Alliance (NCSA) and  Symantec recently released the results of a survey they did as part of National Cyber Security Awareness Month to assess the awareness and preparedness of small businesses (51 or fewer employees) in countering cybersecurity threats. Some notable findings: Only 28% have formal Internet security policies in place Only 25% provide even minimal Internet use/Internet security training to employees Those companies that do train spend less than 5 training hours per year on average 86% do not have an employee focused on Internet security More than 90% believe they are protected from malware and viruses However: Barely half of the businesses surveyed check their antivirus software weekly to insure they’re up to date 11% never check security tools to make sure they’re current For many, it seems, online security is simply not a top priority, falling far behind other issues such as meeting payroll and managing cash. But this is dangerous thinking, since more and more companies’ operations have become highly dependent on their IT infrastructure and the Internet for communications and business transactions. How about your business? Is it secure? Call us today and find out how we can help. Related articles: Fake security software ‘installed on millions of PCs’ (telegraph.co.uk) Celebrating National Cyber Security Awareness Month 2009 (googleblog.blogspot.com) Symantec lists “Dirtiest Web Sites” (canada.com)

New research from the Ponemom Institute and Lumension , shows that a majority of firms are struggling to secure data as users quickly adopt new and emerging technologies such as mobile, cloud computing, and collaborative Web 2.0 technologies. The study, which surveyed IT security and IT operations practitioners, shows that many (44 percent) feel that their IT network is less secure than a year ago or that their IT security policies are insufficient in addressing the growing threats arising from the use of new technologies. Budgets are also a limiting factor, with many feeling that IT security budgets still aren’t what they need to be to fully support business objectives and security priorities. Other findings from the report: 56% said mobile devices are not secure, representing a risk to data security 49% said data security is not a strategic initiative for their company 48% said their companies have allocated insufficient resources to achieve effective data security and regulatory compliance 47% cited a lack of strong CEO support for information security efforts as a reason for ineffective data security programs 41% said there was a lack of proactive security risk management in their organization Just as large companies worldwide struggle to keep up with security, many small businesses do so even more. If you need help understanding the security implications that new technologies bring to your organization, contact us so we can help. Related articles: Companies face IT attacks in uncertain economy: Ernst & Young (newswire.ca) Keeping America’s information safe offers a secure career (techburgh.com) Cloud Security and Privacy (oreilly.com) Computer Security Challenged By Web 2.0 ‘Endpoint’ Growth (Investor’s Business Daily via Yahoo! News) (slumpedoverkeyboarddead.com)