Severe security bugs are getting harder to find, especially is gigantic pieces of software such as the Windows operating systems. Microsoft has spent millions attempting to defeat bugs, and arguably leads developers in secure software programming practices by vetting new code with automated analysis programs and by retraining all its developers in secure coding practices.

Yet, occasionally serious security flaws still slip through.

This week, that is exactly what happened when an independent security researcher revealed some details of a vulnerability in the Windows code that handles file and printer sharing, known as the server message block (SMB) protocol. The researcher, Laurent Gaffié, found the flaw using a technique known as "fuzzing" that tries to break a program by inputing random, but structured, data.

Gaffié focused on the latest version of the code, known as SMB version 2, which is only included in Windows Vista and later versions of the Windows operating system. Finding the vulnerability was much easier than expected, he says. "It took exactly 15 packets (of data) and 3 seconds before SMBv2 got smacked," Gaffié says. The researcher has spent the last year studying the Microsoft communications protocols, looking for weaknesses.

Microsoft acknowledged the existence of the vulnerability in an advisory on Tuesday. The flaw only exists in Windows Vista and in older versions of Windows Server 2008 and Windows 7, the company says. Moreover, Microsoft was already aware of the issue and had fixed it in the Windows Server 2008 and Windows 7, a spokesperson says.

"We found this issue independently through our fuzzing processes and implemented the fix into Windows 7 RTM (release to manufacturer) and Windows Server 2008 R2," the spokesperson says. "We're working to develop a security update for Windows Vista, Windows Server 2008 and Windows 7 RC."

Last month, another researcher revealed a flaw in the code that handles short message service (SMS) data on Apple's iPhone. He also found the vulnerability through fuzzing.

On June 22, administrators at Iceland-based CCP Games cut off 6,200 users--about 2 percent of its total user base--in the science-fiction-themed multiplayer game EVE Online.

The operation, dubbed Unholy Rage by CCP, targeted accounts used to build up experience or obtain goods that could then be sold for real money, a practice known as gold farming. These real-money traders (RMTs) plague many massively multiplayer online role-playing games, including the immensely popular sword-and-sorcery title World of Warcraft.

Immediately after Unholy Rage, the load on CCP's servers dropped by 30 percent, as automated accounts suddenly were no longer demanding resources.

"This clearly shows the very disproportionate load the RMT type accounts imposed on our system," the company said in a blog post describing the operation. "That is a whole lot of CPU for the rest of you to play with, people."

Cutting off 6,200 accounts -- about 2 percent of the EVE Online user base -- returned 30 percent of its server capacity back to CCP Games. (Source: CCP Games)

Currency traders typically pay players in developing countries or use automated game-playing bots to create a steady supply of virtual money. Game companies actively pursue such traders, as well as the software developers that enable the automated playing of online games. Blizzard Entertainment, for example, which runs World of Warcraft, has created a program to prevent bots from playing and has taken legal action against the developers of such add-ons.

Gold farmers don't just spoil the game. The FBI and the U.S. Secret Service, both of which pursue online criminals, have started looking at game-currency traders as a potential front for money launderers.

CCP Games, which has its own on-staff economist--a Ben Bernanke of the EVE Online universe--promises that Unholy Rage is just the beginning.

"The war against the RMT element continues," the company stated. "Our objective is to get rid of them, plain and simple. They are a heinous nuisance and a serious drawback on our systems and resources."

Following Immunet's launch in August, rivals antivirus firms quickly raised questions about the company's claims to deliver a "cloud" antivirus service.

Immunet's CEO Oliver Friedrichs agreed to answer some questions about the company, its business and the technology it uses to detect of malicious software.

What is your definition of a cloud antivirus solution?

A pure cloud antivirus solution relies on a detection set that resides on Internet servers, or "in the cloud." A lightweight desktop agent is used to query this detection set whenever new files are installed on your computer, or when you perform a scan of running applications. Traditional antivirus products store this detection set locally, and in recent years, that database has grown to use anywhere from 50 to 100 megabytes of additional storage space. Immunet Protect is a pure cloud-based product since our detections are stored on the Internet by Immunet and accessed on-demand when required.

What are the advantages of cloud AV?

A cloud AV product is much different than a traditional antivirus product, and it requires re-architecting all components of the AV products. It moves the actual detections into the cloud. The following are what we believe are just some of the benefits:

• It reduces the publishing delay to zero
  Threats today are very short lived, and by the time you receive detections from your traditional AV vendor, the threat itself has largely died off. Even worse, the detections that you receive--numbering from 10,000 to 40,000 per day--are largely irrelevant to you. The chances of you encountering even one of those threats on any given day are very, very low. Your system queries the cloud to determine whether something is malicious, and it takes, on average, 200ms, about 1/5th of a second, to get a response.
• It requires less resources from users' computers
  Cloud AV reduces the on-disk footprint, in-memory usage, CPU required to update your computer, and bandwidth costs.
• It allows for broader protection
  Since the cloud can grow in a largely unbounded fashion, it is possible to be much more liberal on what you put in the cloud. It allows for blacklisting, whitelisting, and even aggressive report-only detections quite easily. It allows an antivirus vendor much more flexibility in protecting the end-user.
• It allows for quicker innovation
  It is much easier for a company that is cloud-based to innovate and tune their detection logic. In most cases this does not require the company's user base to install updates. This is a huge advantage and directly affects the protection that is provided to end users.
• It allows for immediate resolution of false positives
  False positives--when a legitimate program is flagged as a threat--continue to plague the AV industry, and they are impossible to eliminate entirely. With a cloud-based model, however, you can remove an erroneous detection immediately, as soon as you begin to see people in the field restore files that have been incorrectly quarantined. Immunet Protect does this, and we are able to resolve false positives by monitoring in-field restores.

Malicious software that is packed in different ways to evade antivirus is a major problem right now. We will likely see packed programs that will require millions of signatures to catch. How does cloud AV solve this problem?

Cloud AV can deal with packed, metamorphic, and polymorphic threats through the use of domain-specific generic signatures that will detect families and variants of these threats. The development of such signature formats are the key to the future success of cloud-based antivirus, and Immunet is heavily focused in this area.

Immunet previously has said that it has decided not to use the detections of other antivirus solutions in its inputs when determining if a program is malicious or not. Can you explain that?

Let me clarify a statement that I made previously on what we do when running alongside another antivirus product. Immunet Protect sees when other security products detect or block threats. It's quite easy to do this without interfering with or tampering with other products in any way. More specifically, we see threats that the user has received in some form arrive on their computer, and get quarantined. This information is sent up to Immunet; much like SANS DShield and Symantec DeepSight work for intrusion events. We track this information for reporting purposes and are still determining whether or not this information can be used directly to generate detections.