Feeds

MS flaw highlights e-security laziness

Dept of Homeland Security warning

  • alert
  • submit to reddit

5 things you didn’t know about cloud backup

In an unprecedented move, the US Department of Homeland Security has issued a second warning over a Windows flaw that leaves computers vulnerable to attack.

The newly formed US federal government department said in its warning that a critical flaw in certain versions of the Windows operating system, if left unpatched, could leave computers open to dangerous cyber-attacks, some of which have the potential to allow the attacker to take control of a vulnerable system.

The warning comes two weeks after Microsoft issued its own bulletin notifying computer users of the problem and about a week after the Department of Homeland Security issued its first warning urging people and companies to fix their systems.

Essentially, the bug can allow malicious attackers to seize control of users' machines to steal files, read e-mails and launch wide-scale attacks that could damage the Internet as a whole. Microsoft has issued patches on its Web site to let administrators repair systems, but analysts have said that there is still a large proportion of computers plugged in to the Net that remain susceptible to attack.

This is said to be partly because Microsoft issues patches so frequently that they are increasingly being ignored. Last year the software giant issued about 70 patches, and about 30 have been made available this year.

The United States government is said to be especially worried over the latest flaw because it has the potential to hit so many computers. Homeland Security spokespeople have been quoted as saying that about 75 percent of the computers in the US rely on the flawed versions of Windows.

The move from Homeland Security simply highlights the lackadaisical attitude many network administrators have toward updating their systems -- a bad habit that e-security experts regularly rail against. Indeed, new research released this week from US e-security firm Qualys at the most recent Black Hat briefing in Las Vegas indicates that dangerous flaws often go un-patched for weeks, months or even indefinitely.

At the event, Qualys CTO Gerhard Eschelbeck unveiled the company's "Laws of Vulnerabilities," which were drawn from statistical analysis of more than 1.24 million vulnerabilities collected by 1.5 million scans during an 18-month period. Among other things, the company's research shows that half of vulnerable systems remain unfixed after 30 days, which means that critical flaws that can disrupt the world's computers don't completely die out and, over time, they may actually make comebacks.

Possibly more worrying is "law two" of the company's three laws, which says that 50 percent of the most prevalent and critical vulnerabilities are replaced by new vulnerabilities on an annual basis. Furthermore, 80 percent of vulnerability exploits are available to hackers within 60 days after the vulnerability release, the company claimed.

"The security industry is flooded with constant, sometimes daily, warnings of new vulnerabilities, and they vary drastically in their degree of potential damage," said Eschelbeck. "With research like this, we can provide the industry with a statistical look at network threat trends in real time."

© ElectricNet.Net

Secure remote control for conventional and virtual desktops

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
JLaw, Kate Upton exposed in celeb nude pics hack
100 women victimised as Apple iCloud accounts reportedly popped
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.