If you’re an IT administrator responsible for hundreds of machines, I didn’t envy your job this week. Then again, I don’t really envy it any week - probably because I could never do it - but the past few days have been particularly brutal.

That is because we’ve seen enough patch roll-outs to make your head spin. The names read like a laundry list of popular consumer and business software: Adobe Reader, Apple QuickTime, Sun Java, Skype, WordPress, Firefox.

And, on Tuesday, the big daddy comes when Microsoft delivers 12 fixes, seven critical, the most we’ve seen since February 2007.

 Woof. I guess it is safe to say the holiday lull is over.

This, of course, provides clear evidence that the bad guys find it really, really beneficial to exploit client-side, widely-deployed software that most users think to always trust.

Good luck.

The Russian Business Network, the shadowy St. Petersburg, Russia-based ISP, is getting a very bad rap lately in the media.

And rightfully so. Experts believe the RBN is largely behind the Adobe rootkit attacks, which take advantage of a recently patched vulnerability, among other active exploits.

But Matt Richard, the newly appointed director of the Rapid Response Team at VeriSign iDefense, told me in an email that other hosting providers are also to blame.

“In fact, the heart of this attack centers around a U.S. corporation known to provide hosting support for adult sites and other shady organizations,” Richard wrote. “In addition, they accept a number of interesting payment options, including wire transfer and WebMoney. They have ICQ (instant messaging computing) contacts for support and are advertised on a number of forums frequented by cybercriminals. They offer support in English and Russian.”

If we should take anything away from Richard, it’s that the cybercriminal underground has become very organized. While the RBN may be the one group receiving the most attention these days, there’s likely scores of others doing performing similar unscrupulous acts.

Patch, patch, patch.

Today is turning into a minor version of “Patch Tuesday” for companies.

Adobe announced today it has shored up a severe vulnerability affecting Adobe Acrobat and Reader. The flaw, discovered by researcher Petko D. Petkov, was identified on Windows XP using the latest Reader version.

Click here for a link to the fix.

Happy patching!

Looks like Microsoft just dropped the number of planned patches from five to four.

For those keeping score at home, Redmond on Tuesday will kindly offer just one “critical” and three “important” fixes this month.

No word on why Microsoft scrapped one of the “important” patches, the one that corrected a flaw in SharePoint.

I can’t remember the last time there has been this light of a Patch Tuesday. Aren’t things supposed to drastically pick up after Labor Day? I know I’ve been singing the post-summer blues this past work week.

Take this time to work on that security project you’ve been waiting to get to.

And enjoy, as I’m sure there’s plenty more Black Tuesdays coming down the road.

Another holiday, another run of the Storm Worm.

McAfee has a good write-up on the incident.

Researchers from the security company said that over the weekend, new versions of the notorious trojan began spreading in the form of a Labor Day-themed greeting card email. Unsuspecting laborers who clicked on the link - and whose systems were not patched - were greeted not with well wishes but a slew of exploits.

The attack hoped to take advantage of a previously patched Microsoft vulnerability. But that’s not the bad news because, if you’re even somewhat of a security savvy end-user, chances are your PC is up to date with the latest Redmond patches.

The problem is that the storm worm also tries to exploit third-party vulnerabilities, like WinZip and QuickTime buffer overflows.

I don’t know about you, but I don’t think I’m fully upgraded to the latest applications on my machine.

The main takeaway? The storm worm is not going anywhere. And with the holiday season coming up, attackers are on course to only continue to power their botnets with more compromised computers.

One can bet that the attackers’ tactics to infect users are only going to grow more sophisticated. But, for the immediate future at least, users control their own destiny.

No click, no infection.

Another day, another browser bug. Today Secunia reported that researcher Michael Zalewski had discovered a method spoofing vulnerability in Internet Explorer.

The browser has become the attack vector, it seems, ever since Metasploit creator H.D. Moore launched his “Month of Web Browser Bugs” project last July (which eventually kicked off a slew of similar projects attacking various computer applications and components).

While the particular bug announced today is only meant to spoof the address bar, the trend of web-borne malware is taking off.
Malware, according to Secure Computing’s Vice President of Technology Evangelism Paul Henry, has found a new home on the internet.

Vince Weafer, head of Symantec Security Response, told me a few days back of a growing concern over mom-and-pop websites being used to host malware.

Web security, including reputation-based URL filtering, is more important than ever before as thieves turn to the internet to launch their attacks.

What’s scary - the possibilities seem endless.

“So you wanna join the big boys, Apple? Well, you better know what you’re getting yourself into.”

I’d imagine that’s, more or less, what security researchers were thinking when they got their hands on the Safari for Windows beta earlier this week. They promptly discovered a number of vulnerabilities that were pretty darn severe for only putting in a few hours of research time. Apple pushed out an update a few days later.

Apple loves to preach security (think those PC vs. Mac commercials) but the fact is, it’s never faced the scrutiny and interest it faces when it walks into the world of Windows.

For it to succeed, Apple needs to solve its own identity crisis. If Mac OS X and Safari want to become enterprise grade platforms and browsers, Apple better be ready for the vulnerabilities to start rolling in. Because you better believe there’s nothing more hackers embrace than a fresh challenge.

That means Apple needs to be willing to help folks manage and patch their systems. Dare I say they take a lesson from Microsoft? That’s right, the company everybody loves to hate might be able to help their supposed “hipper” neighbors to the south.

The U.S. Government Accountability Office may want to add another suspect to the FBI’s “Most Wanted” list: Someone who can clean up the federal law enforcement agency’s “inadequate” critical network.

That was, more or less, the message in GAO’s recently released report outlining myriad shortcomings in the FBI’s network.

Included among them are misconfigured network devices that may permit insider access and problems with encrypting, authorizing users, logging events and patching vulnerabilities. Basically everything that comprises a security policy.

Woof. Sounds like a big old mess in the house that J. Edgar Hoover built.

Of course, given the federal government’s miserable resume when it comes to information security, this is not at all surprising.

The FBI agreed with many of the technical recommendations, it said in a response letter, but contended it has not “placed sensitive information at an unacceptable risk for unauthorized disclosure, modification or insider threat exploitation.” Then, the letter went on to explain all the strides the agency has made to protect data.

So, instead of taking constructive criticism, the FBI decided to rattle off a million and one reasons why the report was wrong.

Maybe the FBI has been making advancements and, yeah, we haven’t read about any FBI data meltdowns. But when the federal government is getting hit every other day, there comes a point when you have to bow your head, swallow your pride and work on making changes - not relying on past accomplishments.

By staying-with-my-parents standards, the Memorial Day weekend was going about as well as could be expected. Sure there were the typical verbal fights, and unfortunately my girlfriend had to witness a couple of them firsthand, but it wasn’t a complete disaster.

That is until I sat down at their computer Sunday evening, only to find a note that said “Don’t install updates!” I breathed in and out 10 times before I went to visit my mother on the deck.

“Why, on Earth, are you writing yourself a reminder note to not install updates?” I asked her. “That’s the most insane thing I’ve ever heard.”

She told me that was what the “computer guy” suggested when he came to the house to fix a problem a few weeks back. My mom said to leave her computer alone, that it was working fine.

Knowing she was nuts, I went to the PC to scan for updates, anxious to see how many patches have yet to be downloaded.

Then, the computer became unresponsive. Svchost.exe was consuming 99 percent of CPU. I panicked. My girlfriend came in. She panicked. Had I really broken my parent’s computer after they had advised me, albeit unwisely, to leave their machine alone? Apparently yes.

But then I remembered the fantastically informative article our online editor/reporter Frank Washkuch wrote on this very topic.

We also disabled the Microsoft update setting and asked to only receive updates through Windows, a minor change that seemed to go a long way.

Sheesh, now I truly feel for the administrators who have hundreds of machines to patch each month.

Now I know why they call it Black Tuesday.

In case you missed it, the Academy Awards of 30-second college student-made computer security awareness videos were recently announced.

Sponsored by EDUCAUSE, the National Cyber Security Alliance and ResearchChannel, the videos lack the glitz and glamour of an award-winning Hollywood production. I must say, though, most of the winners were entertaining.

The videos promote three major messages: run anti-virus software and a firewall, and enable automatic updates.

The third-place finisher, “When You Least Expect It,” chose to focus on the need for wireless security. The clip by Nolan Portillo of California State University in Bakersfield depicts an attractive man and woman - both on their laptops - flirting across a coffee shop. At the end of the spot, he gets up, collects his laptop, and walks out. A message flashes on the screen that he just stole her identity.

The most amusing video came from Evan Michals of Dartmouth College. The actor in the video, sitting in the middle of the library, receives an IM claiming to come from a friend that includes a link to check out some vacation pictures. The actor clicks, only to have his computer infected by pop-up porn advertisements complete with sounds of o

It reminded me of that Southwest Airlines commercial of the woman in the office. Remember that one…”Congratulations, congratulations, congratulations…”

The purpose of the contest (beside the winners getting a handsome prize) is “to raise awareness of and increase computer security at colleges and universities.”

While advice like this won’t help reduce the number of breaches we’ve been reading about - colleges need a lot more than AV software to stop malicious hackers with their eye on vulnerable applications - it may help to save some students’ from having their identities stolen by fraudsters or becoming part of a botnet.

When it comes to protecting a home user, it really is that simple. Keep your updates and basic security solutions running and you should be fine.

Oh, and don’t click on those links promising vacation pictures.