Symantec's comprehensive security report on the malware industry from July 1 to December 31, 2007, is now available (PDF) in its 100+ page glory. While some parts of the report simply reiterate data we're well aware of - it's no surprise to read that the majority of malicious activity originates in the US - there's also a great deal of new information here that we'll examine below.

OS/software vulnerabilities

Symantec broke down information on patch development time by operating system and by the type of vulnerability encountered. Surprisingly, Microsoft had the shortest time-to-patch over both halves of 2007. In the first part of the year, Microsoft released 38 patches (two of which involved third-party applications) with an average deployment time of 18 days. From July to December, Microsoft released 22 patches with an average patch time of six days.

Source: Ars Technica

Apple's teasing commercials that imply its software is safer than Microsoft's may not quite match the facts, according to new research revealed at the Black Hat conference on Thursday.

Researchers from the Swiss Federal Institute of Technology looked at how many times over the past six years the two vendors were able to have a patch available on the day a vulnerability became publicly known, which they call the 0-day patch rate.

They analyzed 658 vulnerabilities affecting Microsoft products and 738 affecting Apple. They looked at only high- and medium-risk bugs, according to the classification used by the National Vulnerability Database, said Stefan Frei, one of the researchers involved in the study.

What they found is that, contrary to popular belief that Apple makes more secure products, Apple lags behind in patching.

"Apple was below 20 [unpatched vulnerabilities at disclosure] consistently before 2005," Frei said. "Since then, they are very often above. So if you have Apple and compare it to Microsoft, the number of unpatched vulnerabilities are higher at Apple."

Source: Yahoo News

Kevin Remde: The product team decided to give you TechNet and MSDN subscribers a little Valentine's Day gift by making SP1 available for download.

Go to the http://technet.microsoft.com/subscriptions/default.aspx page. Notice the "Top Subscriber Downloads" section.



You can also go here to get it -

• For TechNet Subscribers
• For MSDN Subscribers

And if you're a subscriber, it will require you to log-in with the Windows Live ID you associated your subscription with.

If you're NOT a TechNet Subscriber, I can save you $100 if you're interested.

Link: Kevin Remde's IT Pro WebLog
Source: WinBeta

It looks like Microsoft has posted the final Vista SP1 bits to their OEM site which is accessible to anyone that registers. The file is a 1.13GB .img which combines the 32-bit and 64-bit update executables into one image:

Windows Vista Service Pack 1 (SP1) is now available for download. Windows Vista SP1 will deliver improvements and enhancements to existing features that significantly impact customers, but it does not deliver substantial new operating system features.

Download Windows Vista SP1 here. The download contains Window Vista SP1 for five languages: English, French, German, Japanese, and Spanish. Note Additional languages will be available soon.

Once you download the Windows Vista SP1 package, you will need to extract the appropriate .exe file for the language you wish to install.

Download: Windows Vista SP1 Update Image (32-Bit & 64-Bit)
Source: WinBeta.org

Windows Vista SP1 will be released as an update on Microsoft Update (MU). The patch is very large and there is a bug in Windows Server 2003 in the WinVerifyTrust API that will cause signing validation to fail. What this means is that once you approve this update on a System Center Essentials 2007 server on a Windows Server 2003 server, every time the server sync’s from MU it will redownload the package, fail the cert validation, and so the download will fail.

The problem will continue until you install the WinVerifyTrust patch on the System Center Essentials server. This patch is a hotfix (not a public GDR), so is not intended to be widely distributed. We recommend it only be installed on the System Center Essentials server itself.

You can obtain this hotfix here:
Windows Server Update Services cannot download large Windows update files in Windows Server 2003
http://support.microsoft.com/kb/888303/en-us

Source: System Center Essentials Team Blog

The Microsoft Update Product Team has given a heads up that Office 2003 SP3 will bve available from Microsoft Update automatic distribution (for Vista and XP) approxmiately thirty days from January 27th. SP3 was released for Office 2003 customers about four months ago. The reason they have said approxmiately thirty days from January 27th is because the availability will happen gradually and not everyone will see it at the same time. Think of the 27th as the marker and no sooner than thirty days from then is when SP3 will start to become available to customers' systems.

The Office 2003 SP3 has received some great feedback on what it is doing for customers in enterprise, consumer and other segments. The security improvements are working so well that people probably don't even know it's installed and working for them. This is a must have service pack for you Office 2003 users.

Link: Microsoft Update Blog 

The wait is nearly over for the first service pack for Windows Vista, according to sources close to Microsoft. Microsoft has said the highly anticipated service pack would be out in the first quarter of this year, but some say it could be available in the next few weeks, more than a month before the quarter ends on March 31. A Taiwanese news outlet Wednesday reported in a story that Vista SP1 would be released Feb. 15, but "that date is as good as any other," said Michael Cherry, an analyst with Directions on Microsoft. "For all we know, they could make it available tomorrow."

Through its public relations agency today, Microsoft declined to comment on the Feb. 15 date beyond reiterating the software would be available in the first quarter. Still, several sources who work closely with Microsoft said a mid-February release is not unlikely, and they expect the software to be out before the end of March.

Chris Swenson, director of software industry analysis for the NPD Group, said that analysts have heard Feb. 15 as the target for SP1, but it's not something Microsoft would confirm publicly to give itself time to make adjustments in case of negative feedback on the current release of the software.

Source: MSFN.org