Microsoft fixes 19 bugs in big patch smorgasbord

Microsoft today delivered nine security updates that patched 19 vulnerabilities in several crucial components of Windows, as well as in Media Player, Outlook Express, IIS (Internet Information Server), Office and other products.

Five of the updates were pegged as "critical," the most serious ranking in Microsoft's four-step scoring system, while four were marked "important," the next rating down.

"This is certainly a hodgepodge," said Andrew Storms, director of security operations at nCircle Network Security. "There's no real pattern this month. I'd call it a smorgasbord."

Of the nine bulletins, eight patched some part of Windows or software included with the operating system, while the ninth plugged holes in a variety of programs - Office, Visual Studio, Internet Security and Acceleration Server (ISA Server) and others - that stemmed from a flaw in Office Web Components (OWC), a set of ActiveX controls that let users publish Word, Excel and PowerPoint documents on the Web, then view them within Internet Explorer (IE).

Last month, Microsoft warned users of attacks exploiting the ActiveX control that displays Excel spreadsheets in IE, but the company was unable to patch it in time to meet the July update schedule. Security experts had predicted that Microsoft would fix the flaw today.

Microsoft also patched Remote Desktop Connection Client for Mac, software that lets Mac users connect to Windows-based machines, along with Remote Desktop, a service present on both client and server versions of Windows. That software is used to access applications and data on a remote system over a network.

But the big story today, said Storms, were the patches for five vulnerabilities - two of which had been disclosed and patched previously - that Microsoft's own software inherited from a buggy code "library," dubbed ATL for Active Template Library.

Two weeks ago, Microsoft rushed a pair of emergency updates to users that plugged multiple holes in IE and Visual Studio. Those vulnerabilities were traced to ATL, which is used by Microsoft and an unknown number of third-party developers to create ActiveX controls and application components.

The ATL vulnerabilities were introduced when a Microsoft programmer added an extra "&" character to the widely-used library.

"We expected a slew of ATL patches," said Storms, "although we only got five. But I expect that we'll see more and more ATL bugs from Microsoft in the next couple of months."

Today's ATL patches included fixes for both the "public" version of the library - what Microsoft shares with third-party developers - and the "private" version it uses internally. The five-fix MS09-037 security bulletin plugs holes left by ATL in Outlook Express, a now-outdated light e-mail client once bundled with Windows; in Windows Media Player; and in two Microsoft-made ActiveX controls.

Storms also called out MS09-038, which patches two vulnerabilities in Windows' handling of the AVI media file format. "This is a classic example of a media file format bug that once you view a malicious video, you get owned," he said.

The AVI-handling flaws are ripe for worm exploitation. "All the potential is there," Storms said, but he declined to predict whether hackers would latch onto the vulnerabilities with in-the-wild exploits.

"We're going to feel the 19 [vulnerabilities] this month," Storms added. "Because of the disparate systems that need to be patched and the wide variety of software that must be tested, everyone will be feeling the pain this month."

The August updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.

H-1B demand may be retreating as feds increase scrutiny

WASHINGTON - For what may by the first time, the number of H-1B petitions withdrawn by applicants or rejected by U.S. authorities is exceeding the number of new petitions for the visas.

The numbers have resulted in a slight decrease over the past two months in the H-1B visa petition count on the scale of a rounding error. The drop may be little more than a short-term phenomenon, but it is inviting theories as to its cause, ranging from increased U.S. scrutiny of the H-1B petitions to the general economy.

The U.S. has received approximately 44,900 visa petitions toward its 65,000 H-1B visa cap, one of two caps, since it began accepting petitions on April 1. But the number of visa petitions reported in mid-May by the U.S. Citizenship and Immigration Service (USCIS) was 45,500 visas. There has been a net decline of 600 visa petitions from May to June.

A USCIS spokesman, in an e-mail, said the reason for the decline is that the number of denials, withdrawals of applications and revocations are "quite simply" exceeding the number of new filings. The U.S. has a second H-1B cap of 20,000 set aside for graduates from U.S. universities with advanced degrees. In raw numbers, that cap number has been reached.

In sum, the U.S. has received 65,000 H-1B petitions since April 1 for 85,000 available visas for the fiscal that begins Oct. 1. The combined cap may well be reached in the months ahead, but for now, demand has flatlined.

In the past year, the USCIS has increased the requirement for a wide range of documents to support visa applications to the point that the American Immigration Lawyers Association (AILA) says the requirement is " bordering on harassment."

The small H-1B decline reported by the USCIS may well be nothing more than a counting error, but Vic Goel, an immigration attorney in Reston Va., said it has more to do with cases being denied or withdrawn.

Goel said he has had clients withdraw pending H-1B cases because they couldn't get the large amount of material sought by authorities in time to meet government deadlines, or because the USCIS was seeking new documentation. In the later instance, USCIS officials have asked IT consulting firms to obtain letters from clients with detailed descriptions of the duties performed by H-1B workers, their salaries, hours, benefits, and the length of the assignment, among other things, which has not been a normal business practice, he said.

"Not many companies are going to give such a letter to a vendor without serious reservations, which could jeopardize the business relationship," Goel said.

In large multiyear engagements, Goel said an IT consulting firm's employees will typically work in the client's offices, but the client does not oversee that person's work, benefits and pay, which is why they may be unwilling to issue such a letter. The USCIS will often deny such cases "by concluding that the H-1B employer has not proven that a job actually exists or that it will really direct and control its own worker," he said. Denials have also been issued H-1B visa extensions on these grounds, he said.

The reason the USCIS is demanding more from clients may rest with a report last fall by USCIS investigators that looked at 246 visa cases and found that about 20% had evidence of fraud or technical violations.

Among the problems the USCIS reported were workers who weren't paid the prevailing wage or who were "benched" without pay when there was no work. That report was followed earlier this year by a U.S. Justice Department action that charged a number of companies with H-1B visa-related violations. Those violations included citing the prevailing wage of a lower-paying region but assigning the worker to perform the job in a higher wage region.

Robert Deasy, director, liaison and information for the AILA, said the economy has major role in the stalled demand for H-1Bs. "Ultimately, I think it's economy driven," he said. Deasy, however, said he's not ruling out a USCIS role in the visa decline through its aggressive actions and "extraordinarily rigorous" demands for documentation that are leading to visa denials and withdrawals.

Real ID opposition sparks revisions to national driver's license standard

Widespread opposition to a 2005 bill designed to create a national standard for driver's licenses has prompted a revised version of the bill that no longer contains its most controversial provisions.

The proposed revision is called the "Providing for Additional Security in States' Identification" Act of 2009, or Pass ID Act, and was introduced in the U.S. Senate late on Monday by Senators Daniel Akaka (D-Hawaii), George Voinovich (R-Ohio), Patrick Leahy (D-VT), Jon Tester (D-MT), Max Baucus (D-MT) and Thomas Carper (D-DE).

The bill is a revised version of the Real ID Act of 2005, which was signed into law by then President Bush but the implementation of which has almost stopped amid cost concerns and fears that it could end up becoming a de facto national ID card.

Like Real ID, the proposed Pass ID is designed to give states a set of minimum standards they are required to follow when issuing driver's licenses. These include the need for issuing agencies to ensure that all individuals applying for a license have credentials that establish their identity, age, principle residence, their U.S. citizenship or their proper legal status in the country.

Pass ID requires states to establish processes for vetting the credentials presented by individuals applying for licenses, and to periodically check the legal status of individuals who have been issued licenses but are not U.S. citizens.

The proposed bill, like Real ID, requires state driver's license agencies to store digital photos of individuals to whom driver's licenses have been issued, as well as digital copies or paper copies of all supporting documents. As with Real ID, a license that is compliant with Pass ID will be machine-readable and will eventually be required for individuals to board commercial aircraft, or federal facilities such as those associated with defense or national security.

Controversial aspects cut

Pass ID also seeks to repeal some of the most controversial aspects of the Real ID bill. For instance, the proposed bill would strictly limit the official purposes for which a Pass ID credential would be required, compared with Real ID, for which no such restrictions existed. It also eliminates the requirement that all state driver's license databases be linked to each other, and that each state allow their databases to be electronically accessible by other states.

Under Pass ID states will no longer be required to authenticate birth certificates, Social Security numbers or other credentials with the issuing authority and instead are only required to "validate" them. States will also not be charged for tapping the U.S. Department of Homeland Security's (DHS) databases to verify the immigration status of an individual as they would have been under Real ID.

In addition, Pass ID seeks to limit the kind of information that a license-issuing agency should include in the machine readable portion of the license, and the purposes for which that data can be used. States will be prohibited from including Social Security numbers in the machine readable zone of a license, whereas previously there were no such limitations. Importantly, the proposed bill also requires new privacy and security safeguards for personally identifiable data.

The changes come amid a virtual rebellion by states over the implementation of Real ID, which was signed into law in conformance with the recommendations of the 9/11 commission on terrorism. So far, more than two dozen states have passed measures either rejecting or opposing the Real ID mandate including Arizona, Arkansas, Idaho, Maine, Montana, New Hampshire, South Carolina and Washington.

Last month, Oregon lawmakers joined the rebellion, approving a bill that would prohibit agencies from spending state money to implement the requirements of the Real ID Act unless the federal government reimbursed them. The bill would also prevent the state's Department of Transportation from implementing requirements of the Real ID Act unless it can demonstrate specific security controls for protecting license data.

Such protests have stemmed from what many states say is the unreasonable cost burdens of Real ID with its increased documentation, identity verification, data storage and database linking requirements.

Privacy, data security conerns

Privacy and civil rights advocates have blasted Real ID and said that it would result in the creation of a de facto national ID card that could be used to track and snoop on individuals. They have warned that the proposal to link state driver's licenses databases together would greatly increase the potential for data compromise and data theft.

As a result of such concerns, the DHS, which is the agency in charge of implementing Real ID has been pushing back compliance deadlines. After stating earlier that individuals with standard state-issued licenses would not be able to board commercial aircraft starting May 2008, the DHS now says state licenses will be acceptable as identification by federal agencies until December 2014. Individuals age 50 or older will not have to show Real ID cards until December 2017.

Today's proposed bill has received a decidedly mixed response so far. The Center for Democracy and Technology, (CDT), which in the past has expressed concern over the privacy and civil rights implications of Real ID, today welcomed the proposed legislation.

"We think it addresses the main privacy issues we had with Real ID," said Ari Schwartz, executive director of the Washington-based think tank. The removal of the database linking provision, the proposal to limit the official purposes for which the card would be needed and the changes relating to the machine readable data are all good steps, Schwartz said.

The changes effectively counter the likelihood of the card being used for tracking people, while also meeting the 9/11 commission's recommendations, he said. The decision to revise Real ID rather than repeal it altogether as some have called for is a good step, Schwartz said. "We think this was a pragmatic approach," he said.

But Janice Kephart, director of national security policy at the Center for Immigration Studies, blasted Pass ID, saying it would do nothing to improve security. "It is in fact a dumbing down of ID verification [practices]," Kephart said. "I would call in a Pass on anything ID Act."

"It would not conform at all to the 9/11 commission standard and would help terrorists get on airplanes," she said. The proposed legislation will only introduce confusion, give states money without accountability, roll back airport security and eliminate information sharing between states, she said.

The American Civil Liberties Union (ACLU), which has been an ardent critic of Real ID, today expressed dissatisfaction with the proposed bill. It said in a statement that while Pass ID included some welcome privacy protections, the legislation "could ultimately resurrect the discredited Real ID Act and become the basis for a National ID."

The statement pointed to the widespread opposition to Real ID in many states and said the law should have been repealed rather than "fixed."

Security budgets are falling, survey says

A Deloitte survey of more than 200 information security officers in the high-tech, media and telecom sectors shows that 32% face reduced information-security budgets.

The Deloitte 2009 Global Security Survey for the technology, media & telecom industry also said that the information security managers are less inclined to invest in new security technologies as early adopters than they were in 2007, the last time the survey was undertaken.

Previously, 67% of respondents "considered themselves early adopters of security technology," the report states, while that number has dropped to 53%. The Deloitte survey concludes information security managers in high-tech, media and telecom face increased pressures of "reduced security investment and increased focus on keeping the day-to-day business up and running."

"Thirty-two percent of them said they had reduced security budgets, though there were no details," says Irfan Saif, principal in Deloitte's enterprise risk services, about the 2009 Global Security Survey.

While 25% of the survey's respondents did say they were seeing their security budgets raised, the increase was less than 5%.

"Sixy percent said they feel they're falling behind or still just catching up," Saif says, adding that social-networking technologies and regulatory concerns rank among the main worries of information security managers polled in the survey.

The survey also showed that only 28% felt confident they were protected by internal attacks caused by insiders.

Moreover, the position of "privacy officer" (sometimes "chief privacy officer", whose job is to ensure an organization's data-management processes conform to established law and preferred corporate practices) also appears to be in some decline among the companies questioned about it.

The previous Deloitte survey of the high-tech, media and telecom industry showed that half of the companies responding did have "an executive responsible for privacy," but this year's survey showed a decrease of 6% from that.