Feeds

MS flaw highlights e-security laziness

Dept of Homeland Security warning

  • alert
  • submit to reddit

Internet Security Threat Report 2014

In an unprecedented move, the US Department of Homeland Security has issued a second warning over a Windows flaw that leaves computers vulnerable to attack.

The newly formed US federal government department said in its warning that a critical flaw in certain versions of the Windows operating system, if left unpatched, could leave computers open to dangerous cyber-attacks, some of which have the potential to allow the attacker to take control of a vulnerable system.

The warning comes two weeks after Microsoft issued its own bulletin notifying computer users of the problem and about a week after the Department of Homeland Security issued its first warning urging people and companies to fix their systems.

Essentially, the bug can allow malicious attackers to seize control of users' machines to steal files, read e-mails and launch wide-scale attacks that could damage the Internet as a whole. Microsoft has issued patches on its Web site to let administrators repair systems, but analysts have said that there is still a large proportion of computers plugged in to the Net that remain susceptible to attack.

This is said to be partly because Microsoft issues patches so frequently that they are increasingly being ignored. Last year the software giant issued about 70 patches, and about 30 have been made available this year.

The United States government is said to be especially worried over the latest flaw because it has the potential to hit so many computers. Homeland Security spokespeople have been quoted as saying that about 75 percent of the computers in the US rely on the flawed versions of Windows.

The move from Homeland Security simply highlights the lackadaisical attitude many network administrators have toward updating their systems -- a bad habit that e-security experts regularly rail against. Indeed, new research released this week from US e-security firm Qualys at the most recent Black Hat briefing in Las Vegas indicates that dangerous flaws often go un-patched for weeks, months or even indefinitely.

At the event, Qualys CTO Gerhard Eschelbeck unveiled the company's "Laws of Vulnerabilities," which were drawn from statistical analysis of more than 1.24 million vulnerabilities collected by 1.5 million scans during an 18-month period. Among other things, the company's research shows that half of vulnerable systems remain unfixed after 30 days, which means that critical flaws that can disrupt the world's computers don't completely die out and, over time, they may actually make comebacks.

Possibly more worrying is "law two" of the company's three laws, which says that 50 percent of the most prevalent and critical vulnerabilities are replaced by new vulnerabilities on an annual basis. Furthermore, 80 percent of vulnerability exploits are available to hackers within 60 days after the vulnerability release, the company claimed.

"The security industry is flooded with constant, sometimes daily, warnings of new vulnerabilities, and they vary drastically in their degree of potential damage," said Eschelbeck. "With research like this, we can provide the industry with a statistical look at network threat trends in real time."

© ElectricNet.Net

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Syrian Electronic Army in news site 'hack' POP-UP MAYHEM
Gigya redirect exploit blamed for pop-rageous ploy
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

10 ways wire data helps conquer IT complexity
IT teams can automatically detect problems across the IT environment, spot data theft, select unique pieces of transaction payloads to send to a data source, and more.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.