Microsoft pledged to focus on security last week in an edict from Bill Gates that might be PR fluff – but not necessarily. Gates has a keen sense of when Microsoft has to turn itself around, and this might be one of those times when the company redefines itself and stays a step ahead.
I mention these items from the last couple of days for two reasons: one, because security issues are quite real; and two, because the news coverage might lead you to think that Microsoft products are uniquely vulnerable.
01/24/02 RealNetworks will release a patch for a security flaw in its RealPlayer 8 software that could allow a rogue site to crash the player and potentially execute malicious code.
01/24/02 A security hole in ICQ instant messaging software could allow remote attackers to execute malicious programs on the users’ computer.
01/23/02 CNet Catchup, a Windows software update utility from CNet Networks, contains a security vulnerability that could enable a remote attacker to run malicious code on the user’s computer. CNet promotes Catchup as a one-stop way to identify software updates and security fixes; it is also the online software-update service provider for Symantec’s Norton Web Services, part of the Norton SystemWorks suite. CNet Catchup has been downloaded 7.6 million times from Download.com.
01/23/02 The failure of major Web sites to fix an old but serious security flaw has prompted the Computer Emergency Response Team to issue a new warning to Internet users: Self-defense may be your only protection against privacy- and security-stealing cross-site script attacks. Many high-profile sites, including online financial institutions and stores, have failed to heed CERT’s nearly 2-year-old advisory on preventing cross-site script attacks on their visitors. As a result, Internet users who repose trust in such sites may be susceptible to an array of attacks from malicious third parties, including theft of passwords, credit card numbers, browser cookies, and other private data.