Small and medium businesses are constantly at risk of being targeted by cybercriminals, simply because they are smaller than large corporations. The bigger a company is, the more money they have to invest in higher-tech security systems and larger, more involved IT departments. For smaller companies, it is easy to focus on trying to expand business and let security sit on the back-burner. This is where the partnership between Dell and Trend Micro comes in. They have come up with an easy way for small and medium sized businesses to manage their security needs without breaking the bank. Dell Collaborates with Trend Micro Trend Micro’s Business Security Services include several desirable features to make the security portion of running a business much easier. First and foremost, is a set of web-based tools which make administration extremely easy. There is no need for a dedicated in-office server (or any company owned server at all), and the administration panel can be accessed from anywhere with an internet connection. There is also a remarkably low system performance impact, thanks to the fact that once a scan is complete, the results are processed in the “Smart Protection Network” run by Trend Micro. For companies with little or no IT staff on hand, the system comes pre-configured security parameters and runs automatically, so there is less worry about having something set up improperly. Both desktops and laptops are secured with this software, even if they are used outside the office. Anytime the computer is connected to the internet, it is being actively protected. This has the biggest impact on users who travel with their work, as many do. This is a big step forward for one of the top PC suppliers in the world. The fact that this software can come pre-installed on systems shipped to its commercial clients means that they can offer security and piece of mind to a large group of people.

Here is the original: 
Dell Collaborates with Trend Micro

Earlier this week, HP announced that it will soon be adding Fortify to its list of recently acquired companies. This will be a huge advantage for HP in the security market. HP to Acquire Fortify Fortify Software is a company that specializes in software security. Founded in 2003, it has continued to grow and supply Software Security Assurance (SSA) to government agencies and fortune 500 companies in many different industries. Their best known software suite, Fortify 360, is a tool that can root out security issues in software, as well as fix those issues and prevent future vulnerabilities. In February of this year, HP and Fortify released their most recent collaboration, “Hybrid 2.0″ which goes to show that there has been no problems between these companies working together in the past. Once the deal is finalized, Fortify will continue to run as a stand-alone company. Eventually though, they will be slowly integrated into HP’s Software and Solutions business. This will allow HP to put a much larger focus on software security in every aspect of the application life cycle. “Businesses operate in a world of increasing security and compliance challenges, and the applications and services that they rely on are core to the problem and the solution,” said Bill Veghte, the executive VP of the Software and Solutions branch, in the official HP statement on the acquisition. “With Fortify’s leadership in static application security analysis combined with HP’s expertise in dynamic application security analysis, organizations will have a best-in-class solution to improve the security of their applications and services.” This is not the only company HP has had its eye on. Just last month, HP finalized its purchase of Palm, Inc. This was meant to increase their connection to the rapidly growing mobile device market. This past April, HP bought 3Com for its computer network hardware capabilities. These companies were purchased for $1.2 billion and $2.7 billion dollars respectively. The details of the deal between HP and Fortify have not yet been disclosed.

See the original post here:
HP to Acquire Fortify

Patch Tuesday has come and gone, and with it came the biggest Microsoft Update ever seen since they began their monthly update cycle in 2003. The Windows Operating System as well as Internet Explorer, MS Office, MS Office for Mac, MS Works, Silverlight 2 and 3, the .NET Framework and Movie Maker are all affected. Microsoft Issues Record Breaking Security Update There are 14 new security bulletins released this week, 8 of which are labeled as “critical” and the remaining 6 are labeled “important”. These numbers do not include the link vulnerability patch that was released last week, although the Security Bulletin Summary does include that patch with the others. Microsoft is assuring people that of these new vulnerabilities, none have been seen exploited in the wild as of yet. Of the 8 “critical” bulletins, 4 are listed as high-priority, meaning that they should receive immediate attention. MS10-052 - This bulletin addresses a vulnerability in Microsoft’s MPEG Layer-3 audio codecs. Remote code can be executed through specially crafted media files or streaming content from a website or web application. MS10-055 - This bulletin addresses a vulnerability in the Cinepak Codec. Remote code can be executed through specially crafted media files or streaming content from a website or web application. MS10-056 - This bulletin addresses 4 different vulnerabilities in MS Office. An attacker can gain privileges equal to that of the user if that user opens or previews a specially crafted RTF email message. MS10-060 - This bulletin addresses 2 different vulnerabilities in the .NET Framework and Silverlight. Remote code can be executed when viewing a specially crafted web page in a browser which can run XAML Browser Applications or Silverlight Applications, or if the user runs a specially crafted .NET application. More information on these 4 bulletins, as well as the other bulletins, can be found via the Microsoft Security Bulletin Summary for August 2010 .

Read more here:
Microsoft Issues Record Breaking Security Update

This week, Mozilla released a security update for their popular Firefox web browser. Firefox 3.6.7 fixes several security issues that were found in the 3.6.6 version. Over half of the vulnerabilities fixed were listed as “Critical,” which is the highest danger level that Mozilla associates with security issues. Mozilla Rolls Out Security Update For Firefox Of the 14 vulnerabilities listed on the Firefox update site, eight are listed as critical. Mozilla defines a critical issue as a “vulnerability [that] can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.” Basically, a hacker can run their code on your computer to access your information and install malware on your system. For instance, they list an issue with PNG issues. If you browse a site with a maliciously crafted image on it without clicking on anything, you can get a computer virus. The way that most of these vulnerabilities are able to execute code on your machine are to take advantage of pointers to unallocated memory. These pointers are caused by array overflows or de-allocating objects with multiple pointers pointing to it. By using these dangling pointers, they are able to put their code into sections of memory that your computer doesn’t realize are being used, and therefore doesn’t know to protect. Once the malicious code is in memory, it is easy to execute. The best way to protect yourself is to make sure that your browser is always up to date with the most current software. In Firefox, this is as easy as clicking the “Check for updates…” link in the Help menu, or by going to mozilla.com and clicking the big green button in the middle of the screen. This will update your browser to ensure that you have the best protection for your web browsing pleasure.

Excerpt from:
Mozilla Rolls Out Security Update for Firefox

This week, Microsoft released a new security patch for issues affecting the XP and Server 2003 operating systems. The vulnerabilities were all related to remote code execution, though only the XP patches were listed as critical by the Microsoft Security Bulletin. Windows XP Security Patch On June 5, Tavis Ormandy, a Google security researcher discovered a zero-day vulnerability in Windows Help that he reported to Microsoft. When Microsoft and Ormandy could not agree on the terms of creating a fix, he published the vulnerability four days later, creating a huge media storm. There were people on both sides, some arguing that Ormandy acted irresponsibly by spoon feeding a security exploit to hackers who would use it to cause harm. Others argued that without full disclosure, Microsoft would not have taken this threat seriously and wouldn’t act towards fixing the issue. Whether or not Ormandy was right in his actions, the outcome speaks in his favor. This past Tuesday, Microsoft released Microsoft Security Bulletin MS10-042, which addresses these vulnerabilities. This is an amazingly quick turnaround. The normal time frame for “responsible disclosure” is to allow the software manufacturer a 60 day window to fix the problem before public release. To have a fix only five weeks after the bug was brought to Microsoft’s attention makes a strong argument for the proponents of full disclosure. On the other hand, since the release of this particular bug, Microsoft has reported over 10,000 computers have been affected by hackers using this security hole. This is a significant amount of people being affected by a previously unpublished issue. The fact that it was unpublished does not necessarily mean that it was unknown to the people who could exploit it. It is unlikely that Ormandy was the only person that would ever discover this problem. Thanks to his actions, we now have a solution to what could have become a serious problem for more than just the 10,000 people who were unfortunately targeted.

Original post: 
Windows XP Security Patch

Apple has released the newest version of the iPhone/iPod/iPad software, collectively known as iOS. Formerly known as iPhone OS, the new name is not the only change to be had with this update. Security Holes Fixed By IOS 4 On Apple’s website , there is a list of 64 security risks which have been fixed in this new version. The area of the operating system which was apparently the most vulnerable to security breaches is WebKit. WebKit is the browser engine which powers mobile safari on iDevices, and was the cause for 50 of the security patches. That’s three quarters of the errors fixed. Of the security holes in WebKit, over half of them would allow “arbitrary code execution” which is a nice way of saying run a program on your device which could either harm your device or access your personal information, just by pointing your mobile browser at the wrong website. There were 14 non-WebKit related security updates. Safari itself receives the blame for a few of these. There were problems with cookies being accepted when they should have been disabled. There were also issues with URLs during redirects between http and https sites. Furthermore, there were vulnerabilities when viewing “maliciously crafted” BMP, TIFF, and JPEG images. These images could cause data from Safari’s memory to be sent to the web server or for more “arbitrary code execution” on the device. Another severe security vulnerability relates to the passcode lock on iDevices. The first issue is with the Remote Lock via MobileMe. In this instance, the device must be unlocked due to receiving a text message or voicemail, then locked with Remote Lock. The next time the device is unlocked, the passcode will be displayed, thereby granting access to anyone who is in physical possession of said device. The other vulnerability comes in the form of pairing devices with a new computer. As it stands, this can only be done while unlocked. There is a chance for a race condition when the device is initially booted, if it was unlocked when shut down. This can allow the device to be paired with a new computer without unlocking the device first. All of these issues have been fixed with the release of iOS 4. Now the only question is whether or not there will be more opportunities for these security holes to be exploited before the iPad version is released this fall, especially now that they have been published.

Here is the original post:
Security Holes Fixed by iOS 4