First Vista Service Pack to go out; Oracle Security Issues Highlighted

Officials from Microsoft Corp. recently announced the availability of SP1 for Vista as part of the automatic download process. In other news, Oracle, Inc. has its latest set of security patches for its products, while federal regulations requiring companies to check the identities of clients and partners increase in scope.

Focal Points:

• Officials from Microsoft announced that the first Service Pack for Windows Vista (SP1) would start automatic distribution for people who are using Windows Update. It was previously available by manual download starting March 18^th in English, French, German, Spanish, and Japanese. While the automatic distribution is available now, officials said users may not notice it right away, since they are gradually distributing the service pack to prevent overwhelming distribution and support processes. Other languages will be available for automatic distribution starting the middle of May.
• Oracle's last quarterly patch fixes a total of 41 vulnerabilities. This is 15 more than the quarterly patched that Oracle released in January, which fixed 26 known problems. This latest set includes patches to Oracle's Siebel line, which were not included in the previous Oracle patch release. For the Oracle database specifically, there were a total of 17 new patches. Engineers from database security vendor Sentrigo, Inc. noticed that two of the vulnerabilities patched can be exploited remotely, without the need for authentication. The remainder of the 41 patches was spread relatively evenly across the rest of the Oracle product lines, including patches for E-Business Suite, which had seven fixes for remote exploits without authentication. Experton Group recommends immediately patching any known exploits that do not require authentications, since they indicate significant vulnerabilities.
• According to U.S. law enforcement agencies, companies that provide any products or services to either terrorists or criminals engaged in identity theft may themselves be subject to penalties and fines. The U.S. Treasury Department's Office of Foreign Asset Control (OFAC) requires companies to check the identity of all customers against the OFAC list of known terrorist, in order to deny them access to goods or services that can be used for criminal acts. In addition, the Federal Trade Commission has a "Red Flag" program, which goes into effect 1 November, which further requires enterprises to check both customers and suppliers against a list of known criminals.

Experton Group believes requirements for complying with security and terrorist threats will continue to increase, as the number of attacks increase, and the new modes of finding and exploiting data increase. It will become increasingly difficult for IT executives to stay on top of all these regulations, and government agencies are not likely to allow much latitude for ignorance, especially in the wake of any public events in which raise the visibility of technologies involvement in terrorism and other crimes. IT executives should establish a process for identifying and integrating new security regulations into corporate security policies.