Microsoft released four new Security Bulletins for the month of May, bringing the total for 2008 to 29. Three of the four Security Bulletins are rated as Critical, and address issues in Microsoft Word, Microsoft Project and the Microsoft Jet Database Engine. The fourth Security Bulletin, rated only as Moderate, impacts the Microsoft Malware Protection Engine. For details about the May Security Bulletins, and links to downloads for the necessary patches and updates, take a look at Microsoft Security Bulletins: May 2008.

According to anti-spam firm Cloudmark, as much as 30% of new social networking accounts are actually fake 'zombie' accounts created to distribute spam. While users have been warned for years and are increasingly savvy about avoiding email spam, there is an implicit trust in social networking, and the very nature of social networking sites is to allow strangers with like interests to connect with you- providing an opportunity to spread spam. Read Spammers open new front on social networking sites to learn more.

A botnet is being propagated in a worm-like fashion and infecting vulnerable web sites. Once a web site is compromised, it redirects users to download a malware package, which also includes the Asprox code. The Asprox code then seeks out new vulnerable web sites to compromise and continue to spread. Asprox uses SQL injection on vulnerable Active Server pages to compromise weak sites. According to this report from The Register, the SQL injection attack has compromised about 1,000 web pages thus far, and only 4 of the 32 antivirus products tested were able to detect or identify the threat.

The headline seems a little (a little?) sensationalist. In fact, it may be the very definition of FUD (Fear, Uncertainty, and Doubt). If I were a vendor of security software or services, I might have something to gain from such a headline. According to a report in InformationWeek, a study by security software vendor PC Tools Software shows that Vista is 5% more likely to allow a threat 'through' than a Windows 2000 system. In the study, performed by collecting data from their behavior-based malware detection service, ThreatFire, Vista was found to be 38% more secure than Windows XP. However, the study reports the number of malware threats that 'got through', and not the number of malware threats that successfully compromised or infected the system. Based on the PC Tools Software results, one would expect to find 64% of all Vista PC's infected with some type of malware, however the data from Microsoft's Malicious Software Removal Tool for the second half of 2007 show that the number is actually less than 3% (compared with 5% for Windows 2000 SP4). Is the study supposed to compel me to want to purchase their ThreatFire service? It seems to me that the results could be interpreted to say that ThreatFire is 61% more likely to let threats get to the Vista operating system, but thankfully only 3% result in a compromise of some sort.

Identity theft is a serious, and growing problem. While it is largely perceived as a computer security issue, identity theft pre-dates the home PC explosion, and even today most identity theft is done the old-fashioned way. Have you ever called a restaurant to place a carry-out order, and the person at the restaurant takes your credit card number over the phone? They slowly, and loudly, repeat each block of numbers. Then they slowly, and loudly, repeat the expiration date, and possibly even the CVV code from the back of the credit card. Have you ever wondered how many employees or patrons are sitting within hearing range of the person slowly, and loudly, repeating all of your credit card information for anyone to hear? Or, have you ever called one of your service providers- your cable TV company, your cell phone provider, etc.- and had them authenticate you by asking for your name, and the last four digits of your social security number? Did you ever stop to consider how many people might hear you, and the fact that these two pieces of information are the keys to getting information about you from virtually anywhere? Well, identity theft is anywhere and everywhere, but there is a new breed of service provider that claims to help monitor and protect your identity for you. Take a look at this PC World report to find out how well each performs.

This is slightly outside of the scope of Internet / Network Security, but it is a threat resulting from technology and one which could impact readers of this site. According to this article by Leigha Cardwell at SearchUnifiedCommunications, residents in Delaware were recently awakened in the wee hours by phone calls allegedly from Jenny, at '867-5309'. If you weren't around in the 80's, or you didn't listen to Top 40 pop in the 80's, you may not be aware that '867-5309' was a phone number from a popular song in which the singer wanted to get a hold of 'Jenny'. The real perpetrator of the phone calls was apparently a mortgage refinancing company trying to solicit business in a form of telephone 'spam'. You are most likely used to receiving spam emails which appear to have been sent by someone other than the true sender. Now, those seeking to compromise your personal information or steal your identity can spoof their caller ID information to appear to be from a reputable company. This caller ID spoofing will both increase the odds of you answering the call to begin with, and establish a false trust with the caller. Take a look at Complete guide to caller ID spoofing: Safeguarding your resources for more information and tips to protect yourself.

Most malware and computer security attacks these days are motivated by money. The majority of botnets and phishing scams are designed to separate users from their cash in some way shape or form. Compared with some recent attacks, stealing money is almost 'noble'. A few months back, around Christmas of 2007, malware was circulating in the wild which specifically targeted software used by those with impaired sight that would read the text aloud so they could interact with their PC's. According to researchers at Sophos, it appeared that the motivation behind this malware was to disable illegal copies of the software and not intended specifically to torment blind people. This week however, attackers exploited vulnerabilities on the web site of the Epilepsy Foundation to redirect users to sites with rapidly moving images and quickly shifting kaleidoscopes of colors- sites that can induce severe migraines and epileptic seizures in those afflicted with epilepsy. Taking someone's money seems like a noble and rational, albeit immoral and unethical, pursuit by comparison.

Windows Vista SP1 has been available for a while, but they just recently began to push it out via Automatic Updates to systems that did not yet have it. Some customers then learned the hard way that one of the changes in the way Vista works with SQL Server databases may cause data corruption for certain Microsoft Dynamics products. The latest Service Pack for Windows XP, SP3, is also on hold pending a fix for the data corruption issues. For the record though, this issue seems related specifically with the Microsoft Dynamics CRM software, so the vast majority of users have nothing to be concerned about. This PC World article has some more details about the issues.

According to MessageLabs, there were approximately 2 million PC's compromised with the Storm Botnet at the end of March. In April, that number dropped to around 100,000. That is a 95% drop in one month. Microsoft has claimed some credit for thwarting the botnet through its free Malicious Software Removal Tool, and its initiatives working with law enforcement to identify and eradicate the threat. Read this article from The Register to learn more about the waning Storm Botnet. Hopefully vendors aren't declaring victory prematurely and this won't turn out to be a catastrophic blunder like the Bush administration's "Mission Accomplished".

If you have ever switched doctors or dentists, you know what pain in the butt it can be to get your records transferred. If you have ever had to deal with multiple doctors at the same time, you are probably also familiar with the complexity of sharing information between doctors to ensure continuity of service and make sure there are no conflcts or interactions between the different treatment plans. What if all of your medical information was available via the Web? You could view it conveniently from any web browser. Your doctors could view it conveniently from any web browser. Could the data be accidentally leaked? Could an attacker view the data? Would anyone be held responsible if it were? Well, both Google and Microsoft are testing iniatives to let users place medical information on the Web. They are each aware that security is a major concern, and they are working on ways to protect the data, however because they are not in the "health care industry", they are not bound by HIPAA (Health Insurance Portability and Accessability Act) restrictions or penalties regarding patient data. Eric Larkin talks about some of the pros and cons of these initiatives in Should You Trust Your Health Records to Google and Microsoft?