It wasn’t too long ago that Microsoft bore constant criticism for its lack of transparency regarding security vulnerabilities and subsequent fixes.

One cannot objectively still accuse the software giant of similar evasiveness.

Nowhere has this change in approach been more evident than Thursday’s unexpected out-of-cycle patch for a Windows Server service vulnerability. Immediately following the issuance of the fix, Microsoft staff wrote posts on not one, not two, not three, but four different Microsoft blogs. You can find them here.

That’s not to mention the webcasts — Microsoft added two on Friday because of popular demand – where end-users could hear specifics about the major flaw.

Certainly this was an urgent matter that companies across the globe needed to be aware of and act on quickly to prevent the possibility of a major internet worm a la Nimda, Code Red and Blaster.

And Microsoft realized that corporations would have a lot of questions - why did Microsoft rush this fix? How did this one get past the secure code team? Which Windows versions are most affected? What do the active attacks look like - and the software giant did its best to provide answers.

They should be commended, especially on the heels of the first-ever round of Patch Tuesday bulletins that included an Exploitability Index, by which users can measure the likelihood of the vulnerability in question being exploited.

Needless to say, Thursday’s out-of-cycle fix aimed to correct a gaping hole that could have been consistently exploited.

And thanks to Microsoft’s candor, not only are businesses patching before anything got out of hand but they are patching with an understanding of what and why they’re patching.

And information is power, after all.

Panda Security might just have the right idea when it comes to fighting malware across a threat landscape that is seeing more sophisticated and faster evolving attacks than ever before.

The Glendale, Calif.-based anti-virus firm has developed a new method known as “collective intelligence” to combat zero-day and targeted security threats — in the cloud, in real time.

Here’s how it works: Instead of relying on the manual collection and remediation of each piece of malware, which is morphing at alarming rates, Panda taps into the aggregated knowledge of its thousands and thousands of diverse users.

It’s the same principle that author James Surowiecki chronicles in his “Wisdom of Crowds” best seller. In the introduction, he recaps an anecdote from a British scientist’s visit to a county fair, at which the public tried to guess the weight of an ox. Each individual guess was wrong, often way wrong, but when the scientist averaged the predictions, the number came within 1 pound of the animal’s weight.

It doesn’t work that much differently in the case of Panda’s technology.

In other words, if one customer is infected with a new variant, Panda immediately records that, develops a fix and pushes it out to all users. The idea is, users are on the front line. Why wait for lab workers to discover the malware when there is “intelligence” to be harnessed from a huge community of users of various shapes and sizes from all over the world. They are getting hit with different stuff every day.

Just because they are your customers doesn’t mean you can’t use them to create more robust solutions.

This technical feat is evident in Panda’s just-announced product called Panda Security for Internet Transactions. The offering, deployed by banks, utilizes the “collective intelligence” technology to almost instantaneously scan customers’ computers for trojans when they sign into their accounts.

If the product detects malware designed to perpetrate financial fraud, something like a keylogging trojan, users are diverted to a “safe page,” where they are prompted to download anti-virus and get cleaned up.

To see firsthand how this “collective intelligence” technology works, check out www.infectedornot.com, where you can run a quick 60-second scan of your PC for any viruses or spyware.

Here are the top 10 email- and web-based malware threats for September, according to Sophos. You’ll notice that Netsky and the Pushdo trojan were the dominant email-based malware last month, and IFRAMEs were very popular as a web-based threat.

September 2007 email-based malware threats, according to Sophos:

1. W32/Netsky 29.9%
2. Troj/Pushdo 27.4%
3. W32/Mytob 9.2%
4. W32/Zafi 8.3%
5. Mal/Iframe 6.0%
6. Mal/Behav 4.6%
7. W32/MyDoom 4.1%
8. Mal/Basine 2.5%
9. W32/Bagle 1.4%
10. W32/Traxg 1.2%
Other 5.4%

September 2007 web-based malware threats, according to Sophos:

1. Mal/Iframe 59.5%
2. Mal/ObfJS 17.0%
3. Troj/Decdec 3.7%
4. Troj/Fujif 3.6%
5. Mal/EncPk 1.6%
6. Troj/Iffy 1.3%
7. Troj/Pintadd 1.3%
8. Troj/Psyme 1.0%
9. Mal/Packer 0.9%
10. Troj/Ifradv 0.8%
Other 9.3%

I want you all to think hypothetically for a moment. No - I mean really, really hypothetically.

Shane Coursen, Kaspersky Lab’s senior anti-virus researcher brought up an interesting “imagine-if” on Wednesday at the InfoSecurity show in New York when he conceptualized the potential benefits of the Storm Worm botnet.

By expert estimates, the nasty virus, which began spreading in January, controls hundreds of thousands of PCs worldwide. That kind of super computing power is a spammers’ dream come true. But imagine if such a grid was used for something positive, such as the Human Genome Project?

“If it was used for [such] purposes, it could do a lot of good,” Coursen told the audience of about 50 people.

Not likely to happen, of course. And I’m guessing there might be some legal hurdles to overcome - to say the least - if millions of compromised PCs were being used in a regulated endeavor.

But it’s fun to think about. At least in theory.

OK, I’m done thinking hypothetically. I just got an e-greeting phish in my inbox.

Another holiday, another run of the Storm Worm.

McAfee has a good write-up on the incident.

Researchers from the security company said that over the weekend, new versions of the notorious trojan began spreading in the form of a Labor Day-themed greeting card email. Unsuspecting laborers who clicked on the link - and whose systems were not patched - were greeted not with well wishes but a slew of exploits.

The attack hoped to take advantage of a previously patched Microsoft vulnerability. But that’s not the bad news because, if you’re even somewhat of a security savvy end-user, chances are your PC is up to date with the latest Redmond patches.

The problem is that the storm worm also tries to exploit third-party vulnerabilities, like WinZip and QuickTime buffer overflows.

I don’t know about you, but I don’t think I’m fully upgraded to the latest applications on my machine.

The main takeaway? The storm worm is not going anywhere. And with the holiday season coming up, attackers are on course to only continue to power their botnets with more compromised computers.

One can bet that the attackers’ tactics to infect users are only going to grow more sophisticated. But, for the immediate future at least, users control their own destiny.

No click, no infection.

Another day, another browser bug. Today Secunia reported that researcher Michael Zalewski had discovered a method spoofing vulnerability in Internet Explorer.

The browser has become the attack vector, it seems, ever since Metasploit creator H.D. Moore launched his “Month of Web Browser Bugs” project last July (which eventually kicked off a slew of similar projects attacking various computer applications and components).

While the particular bug announced today is only meant to spoof the address bar, the trend of web-borne malware is taking off.
Malware, according to Secure Computing’s Vice President of Technology Evangelism Paul Henry, has found a new home on the internet.

Vince Weafer, head of Symantec Security Response, told me a few days back of a growing concern over mom-and-pop websites being used to host malware.

Web security, including reputation-based URL filtering, is more important than ever before as thieves turn to the internet to launch their attacks.

What’s scary - the possibilities seem endless.

As researchers expected, “storm worm” spammers have customized their latest subjects to recognize Wednesday’s July 4 holiday in hopes of using timely events to infect more users.

According to U.S. Cert, some examples of subject lines include “Celebrate Your Nation” or “America’s 231 Birthday.”

These social engineering tactics attempt to lure unsuspecting users into installing malware on their machine.

The best advice: keep your anti-virus and patches up to date and, if this junk mail happens to slip by mail filters, rely on employee awareness training to teach end-users not to click on unknown links.

When I posted yesterday on the News Team Blog saying that maybe, just maybe information security would be written into a “Sopranos” plotline before the series finale, I was joking…mostly.

But it turns out that I wasn’t that far off – literally only a few feet or so from where I’m now sitting.

I’ll explain: in last night’s season premiere, Tony Soprano and henchman Bobby Bacala had a meeting with a pair of French Canadian lowlifes who were interested in selling stolen prescription drugs south of the border – a tidbit of note to the staff of Medical Marketing and Media magazine, our sister Haymarket Media publication with a news desk just a few steps away.

But with organized crime’s interest in malware and personally identifiable information popping up on seemingly one industry report after another, maybe it’ll be IT security’s turn next Sunday.