Virus
makers train sights on older applications
by
Alan Zisman (c) 2008 First published in
Business
in Vancouver March 11-17, 2008; issue 959
High Tech Office column
For years, the techno-hip
digerati have derided Windows as a security sinkhole. There’s an urban
myth that an unpatched, unprotected Windows system exposed to the
Internet would be infected within seven seconds. And certainly, large
numbers of Windows system have been infected with viruses, infested
with spyware, and clustered into botnets without their owners’
knowledge, thereby spreading spam and malware to other computers.
And for years, Microsoft has been struggling to make Windows a harder
nut to crack.
While
scoffers may disagree, to a large extent they’ve succeeded. Windows now
includes a bare-bones firewall and optional anti-spyware software.
Internet Explorer warns users before installing potentially risky
software. Windows users are strongly encouraged to have “critical
updates” downloaded and installed automatically, and most do. Vista
goes a step further: the same user account control feature that nags
users too frequently also ensures that software won’t be
stealth-installed.
One sign that the Windows operating system
has toughened up is that malware authors are looking elsewhere for ways
to work their evil.
No, not to Mac or Linux systems. These remain more difficult targets
than Windows.
Instead,
applications have increasingly become targeted. While Windows often has
the latest security patches installed, users are still often running
older, unpatched versions of applications. And even though some
applications are set to automatically check for updates, it’s too easy
to ignore the notice that updates are available.
Nearly all of
us have Adobe Reader (or Acrobat) installed to read PDF files. Early in
February, Adobe patched a security hole in which malicious banner ads
had been used to pass on an infected PDF document, which installed the
Zonebac Trojan, turning off antivirus software, altering search results
and more. Adobe’s Acrobat 8.12 Acrobat ended this vulnerability for
users of the current version but not for users still using Acrobat or
Adobe Reader versions 7 or earlier, though the company is promising a
fix for version 7 users.
Apple’s Quicktime is almost as widely
used as Adobe Acrobat. It’s installed both on its own and as a
component of the iTunes software used with iPods and iPhones. Apple has
been forced to repeatedly update Quicktime as a variety of security
holes have surfaced – 34 times in 2007 alone. Only a week after
Quicktime’s 7.4.1 was released February 6, details were posted of yet
another potential flaw. This was in a Quicktime-based ActiveX control,
meaning that only Windows Internet Explorer users are potentially at
risk. Security company Symantec warned that typically, Quicktime
vulnerabilities are quick to be “actively exploited.”
Another
ActiveX vulnerability recently surfaced in a plug-in popular with
members of the Facebook and MySpace social networking websites. As a
result, the U.S. Computer Emergency Readiness Team (US-CERT) is
recommending that Internet Explorer users disable all ActiveX controls.
While
Microsoft’s low-end Works application suite isn’t as widely used, it is
often pre-installed on budget systems sold to home and small-business
users. A potentially dangerous flaw in that program’s software to
convert Works WPS-format word processor files to RTF format also popped
up in February.
Don’t use Works? You should still worry. Microsoft Office 2003 uses the
same flawed code to convert Works files.
Applications
are not the only security risks. Networked printers, scanners, and
copiers are sophisticated computers in their own right.
They
come complete with CPU, RAM, and hard drives and sometimes even run
their own mini web servers. As such, they’re potentially vulnerable to
attacks, perhaps stealing stored documents or even network passwords.
Recognizing this, Xerox has started releasing security patches for
their product line.
And while keeping Windows, your applications,
and now even your printers up to date is an important step toward
security, F-Secure is warning of at least one bogus Microsoft update
site. Clicking on that site’s update button downloads a
Trojan-installing file. •