MS flaw highlights e-security laziness
Dept of Homeland Security warning
In an unprecedented move, the US Department of Homeland Security has issued a second warning over a Windows flaw that leaves computers vulnerable to attack.
The newly formed US federal government department said in its warning that a critical flaw in certain versions of the Windows operating system, if left unpatched, could leave computers open to dangerous cyber-attacks, some of which have the potential to allow the attacker to take control of a vulnerable system.
The warning comes two weeks after Microsoft issued its own bulletin notifying computer users of the problem and about a week after the Department of Homeland Security issued its first warning urging people and companies to fix their systems.
Essentially, the bug can allow malicious attackers to seize control of users' machines to steal files, read e-mails and launch wide-scale attacks that could damage the Internet as a whole. Microsoft has issued patches on its Web site to let administrators repair systems, but analysts have said that there is still a large proportion of computers plugged in to the Net that remain susceptible to attack.
This is said to be partly because Microsoft issues patches so frequently that they are increasingly being ignored. Last year the software giant issued about 70 patches, and about 30 have been made available this year.
The United States government is said to be especially worried over the latest flaw because it has the potential to hit so many computers. Homeland Security spokespeople have been quoted as saying that about 75 percent of the computers in the US rely on the flawed versions of Windows.
The move from Homeland Security simply highlights the lackadaisical attitude many network administrators have toward updating their systems -- a bad habit that e-security experts regularly rail against. Indeed, new research released this week from US e-security firm Qualys at the most recent Black Hat briefing in Las Vegas indicates that dangerous flaws often go un-patched for weeks, months or even indefinitely.
At the event, Qualys CTO Gerhard Eschelbeck unveiled the company's "Laws of Vulnerabilities," which were drawn from statistical analysis of more than 1.24 million vulnerabilities collected by 1.5 million scans during an 18-month period. Among other things, the company's research shows that half of vulnerable systems remain unfixed after 30 days, which means that critical flaws that can disrupt the world's computers don't completely die out and, over time, they may actually make comebacks.
Possibly more worrying is "law two" of the company's three laws, which says that 50 percent of the most prevalent and critical vulnerabilities are replaced by new vulnerabilities on an annual basis. Furthermore, 80 percent of vulnerability exploits are available to hackers within 60 days after the vulnerability release, the company claimed.
"The security industry is flooded with constant, sometimes daily, warnings of new vulnerabilities, and they vary drastically in their degree of potential damage," said Eschelbeck. "With research like this, we can provide the industry with a statistical look at network threat trends in real time."