X

This week in security

Browser-based attacks are on the rise, a trade group says. Also: Zombie attacks are more likely to come from AOL users.

Michelle Meyers
Michelle Meyers wrote and edited CNET News stories from 2005 to 2020 and is now a contributor to CNET.
Michelle Meyers
2 min read
Two tech giants have patched critical flaws, but this week's news wasn't all good: Browser-based attacks are increasing, a report said, and federal agencies reportedly are not prepared to deal with spam, phishing and spyware.

The report on browser-based attacks came from the Computing Technology Industry Association, or CompTIA, which on Tuesday released its third annual report on IT security and the work force.

Of nearly 500 organizations surveyed, 56.6 percent had been the victim of a browser-based attack, up from 36.8 percent a year ago and 25 percent two years ago, CompTIA said.

Browser-based attacks often take advantage of security flaws in Web browsers and other components of the user's PC, such as the operating system. The attackers' objective can be to sabotage a computer or steal private data, and the attacks can be launched when a person visits a Web page that appears harmless but contains malicious code.

Another new report found that Internet "zombie" attacks that attempt to knock computer systems offline are more likely to come from users of America Online than any other source, according to Reuters.

AOL and other large Internet service providers serve as launching pads for most denial-of-service attacks, according to a report released Tuesday by Prolexic Technologies, which helps companies fend off such attacks.

Government auditors concluded this week that federal agencies are not prepared to deal with the triple Internet menaces of spam, phishing and spyware.

A survey of the largest federal agencies by the Government Accountability Office revealed that most agencies are suffering from junk e-mail and other online detritus--but not one has a plan in place to deal with the threat and all have received limited guidance on what to do.

Meanwhile, Sun Microsystems has fixed a pair of security bugs in Java that could be exploited by attackers to take over computers running Windows, Linux and Solaris. The flaws are "highly critical," security monitoring company Secunia said in an advisory posted Tuesday. Flaws that get that ranking--one notch below Secunia's most severe "extremely critical" rating--are typically remotely exploitable and can lead to full system compromise.

Microsoft on Tuesday issued three "critical" patches for flaws that could allow a malicious attacker to take remote control of a computer. One fix deals with vulnerabilities in Internet Explorer, while the others tackle problems with HTML Help and Server Message Block in the Windows operating system. The security bulletins were three of 10 released by the software giant as part of its monthly patch cycle.

News.com this week also took readers inside Microsoft's "Blue Hat" summit, in which outsiders were invited into the heart of the Windows empire for the express purpose of exploiting flaws in Microsoft computing systems. "Blue Hat" is a reference to the widely known "Black Hat" security conference, tweaked to reflect Microsoft's corporate color.

The unusual gathering, a summit of sorts between delegates of the hacking community and their primary corporate target, illustrates how important security has become to the world's most powerful software company.