I blogged today about the work outbreak. We are seeing an increasing number of critical support calls because of customers being infected by the worm attacking the vulnerability fixed in MS08-067.

Let me be even clearer than before: The update is out now for a month and believe me: There is a reason why we go out of band with a critical update. So, there is no excuse not to patch! Roll it out now!

Roger

As we were pushing on our Out-of-Band release earlier this month we tried to make you understand that immediate deployment is needed as the vulnerability is high risk. Otherwise we would not have gone out of band…

Interestingly enough, we have not seen widespread attacks since now. Earlier today now we released different pieces of information on the two key blogs on that:

• Microsoft Security Response Center: MS08-067 Update: November 25
• Microsoft Malware Protection Center: More MS08-067 Exploits

The reason why I post and why this attacks makes me a little bit nervous is that I hear from too many customers still that they did not yet deploy and the reason behind is that “they heard that we might have issues with this update”. Sorry, this is blank nonsense.

To be clear: Out of all support cases Microsoft has received regarding MS08-067, all of them (and I mean all – no exception) turned out to be caused by another issue and/or mis-configuration and not MS08-067! So, there were no issues with this update so far.

It is your choice now to decide whom you base your risk assessment on: On some web pages telling you that they heard or on us.

Whatever you do, base your risk assessment on the fact that there is somebody out there exploiting the vulnerability

Roger

At the moment I am travelling through the Gulf in order to launch the Security Intelligence Report v5 with local data. During one of the discussions today, a question was raised which I was thinking about quite some while (but – honestly - do not have an answer yet): How do you manage the risks in your supply chain? I am not talking about the risks of a supplier not delivering on time. I am talking about the trustworthiness of your hardware and software vendors. There are different things that happened recently that started to raise this question – let me just pick two of them to illustrate what I mean:

• Lenovo ships an update with malware: Things like that happened before, this time it is Lenovo’s turn. I once had a discussion with our former Chief Security Officer. She told me that she was asked pretty often what was keeping her up at night. Her answer was a pretty interesting one: “Imagine us shipping a security update to 400 Mio PCs around the world – and we have a virus/backdoor/Trojan in”. Do you manage this risk?
• FBI and other US government agencies are concerned about counterfeit Cisco routers: This is not only because they want to be legally compliant but who knows what is in these routers and what they record and send when to whom. Do you manage this risk?

I guess if we would think about it in depth, there would be quite some additional areas you would come up with. One of the questions you will definitely put into the comments is: How are we sue Microsoft does not build in some backdoors either? At least here I can give you an answer: We have a shared source program where governments around the world can look at our source code – and they do and governments like Russia certify our products as backdoor free.

But I am more interested to hear whether you manage these risks and how?

Roger

Just a short one: I think I had to feed that into the requirements list for our Exchange team:

Roger

We see this concept all over Europe: There are National Security Awareness Days (or how ever they are called) in a lot of European countries. During these events, the industry (from software to banking to government to …) gets together to raise awareness on the most important trends, criminals explore attacking  their victims.

This week in the UK there is the Get Safe Online Week, which is a very good example for me how this can work out. A lot of partners come together this week to drive awareness around different themes in the area of Online Safety.

I quote from their press release:

Today (which was actually yesterday) the UK’s fourth annual Get Safe Online kicks off, a weeklong internet safety awareness campaign encouraging UK computer users to take steps to ensure that they and their machines are protected.

In a time of economic uncertainty, online security is becoming even more important as the growth of the ‘shadow economy’ in stolen identities can mean a person’s assets such as savings accounts can be stolen and emptied faster than ever.

Particularly, the use of ‘phishing attacks’ is rapidly on the rise – where criminals send fraudulent emails designed to trick internet users into submitting their financial or other confidential details. 23% of UK internet users surveyed said that they or someone they knew fell victim to such an attack this year, compared to just eight per cent in 2007.

The image of the geeky hacker is inaccurate: the vast majority of computer crime in the UK is highly organized, with criminals dealing in the buying and selling of personal information used to defraud targets such as full name, address, passport details, driver's license number, date of birth, bank account details and sort codes, plus credit card numbers and security codes.

Get Safe Online Week aims to give everyone the tools and confidence to enjoy and use the internet safely. In the span of a couple of hours, anyone can learn a few simple steps to remain up-to-date and aware about online safety – a small investment compared to the potential loss and inconvenience if they are instead victims of identity theft.

I think that this is a great initiative, which needs our broad support:

Roger