Feeds

MS flaw highlights e-security laziness

Dept of Homeland Security warning

  • alert
  • submit to reddit

The Power of One eBook: Top reasons to choose HP BladeSystem

In an unprecedented move, the US Department of Homeland Security has issued a second warning over a Windows flaw that leaves computers vulnerable to attack.

The newly formed US federal government department said in its warning that a critical flaw in certain versions of the Windows operating system, if left unpatched, could leave computers open to dangerous cyber-attacks, some of which have the potential to allow the attacker to take control of a vulnerable system.

The warning comes two weeks after Microsoft issued its own bulletin notifying computer users of the problem and about a week after the Department of Homeland Security issued its first warning urging people and companies to fix their systems.

Essentially, the bug can allow malicious attackers to seize control of users' machines to steal files, read e-mails and launch wide-scale attacks that could damage the Internet as a whole. Microsoft has issued patches on its Web site to let administrators repair systems, but analysts have said that there is still a large proportion of computers plugged in to the Net that remain susceptible to attack.

This is said to be partly because Microsoft issues patches so frequently that they are increasingly being ignored. Last year the software giant issued about 70 patches, and about 30 have been made available this year.

The United States government is said to be especially worried over the latest flaw because it has the potential to hit so many computers. Homeland Security spokespeople have been quoted as saying that about 75 percent of the computers in the US rely on the flawed versions of Windows.

The move from Homeland Security simply highlights the lackadaisical attitude many network administrators have toward updating their systems -- a bad habit that e-security experts regularly rail against. Indeed, new research released this week from US e-security firm Qualys at the most recent Black Hat briefing in Las Vegas indicates that dangerous flaws often go un-patched for weeks, months or even indefinitely.

At the event, Qualys CTO Gerhard Eschelbeck unveiled the company's "Laws of Vulnerabilities," which were drawn from statistical analysis of more than 1.24 million vulnerabilities collected by 1.5 million scans during an 18-month period. Among other things, the company's research shows that half of vulnerable systems remain unfixed after 30 days, which means that critical flaws that can disrupt the world's computers don't completely die out and, over time, they may actually make comebacks.

Possibly more worrying is "law two" of the company's three laws, which says that 50 percent of the most prevalent and critical vulnerabilities are replaced by new vulnerabilities on an annual basis. Furthermore, 80 percent of vulnerability exploits are available to hackers within 60 days after the vulnerability release, the company claimed.

"The security industry is flooded with constant, sometimes daily, warnings of new vulnerabilities, and they vary drastically in their degree of potential damage," said Eschelbeck. "With research like this, we can provide the industry with a statistical look at network threat trends in real time."

© ElectricNet.Net

Designing a Defense for Mobile Applications

More from The Register

next story
DARPA-derived secure microkernel goes open source tomorrow
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.