Feeds

MS flaw highlights e-security laziness

Dept of Homeland Security warning

  • alert
  • submit to reddit

Secure remote control for conventional and virtual desktops

In an unprecedented move, the US Department of Homeland Security has issued a second warning over a Windows flaw that leaves computers vulnerable to attack.

The newly formed US federal government department said in its warning that a critical flaw in certain versions of the Windows operating system, if left unpatched, could leave computers open to dangerous cyber-attacks, some of which have the potential to allow the attacker to take control of a vulnerable system.

The warning comes two weeks after Microsoft issued its own bulletin notifying computer users of the problem and about a week after the Department of Homeland Security issued its first warning urging people and companies to fix their systems.

Essentially, the bug can allow malicious attackers to seize control of users' machines to steal files, read e-mails and launch wide-scale attacks that could damage the Internet as a whole. Microsoft has issued patches on its Web site to let administrators repair systems, but analysts have said that there is still a large proportion of computers plugged in to the Net that remain susceptible to attack.

This is said to be partly because Microsoft issues patches so frequently that they are increasingly being ignored. Last year the software giant issued about 70 patches, and about 30 have been made available this year.

The United States government is said to be especially worried over the latest flaw because it has the potential to hit so many computers. Homeland Security spokespeople have been quoted as saying that about 75 percent of the computers in the US rely on the flawed versions of Windows.

The move from Homeland Security simply highlights the lackadaisical attitude many network administrators have toward updating their systems -- a bad habit that e-security experts regularly rail against. Indeed, new research released this week from US e-security firm Qualys at the most recent Black Hat briefing in Las Vegas indicates that dangerous flaws often go un-patched for weeks, months or even indefinitely.

At the event, Qualys CTO Gerhard Eschelbeck unveiled the company's "Laws of Vulnerabilities," which were drawn from statistical analysis of more than 1.24 million vulnerabilities collected by 1.5 million scans during an 18-month period. Among other things, the company's research shows that half of vulnerable systems remain unfixed after 30 days, which means that critical flaws that can disrupt the world's computers don't completely die out and, over time, they may actually make comebacks.

Possibly more worrying is "law two" of the company's three laws, which says that 50 percent of the most prevalent and critical vulnerabilities are replaced by new vulnerabilities on an annual basis. Furthermore, 80 percent of vulnerability exploits are available to hackers within 60 days after the vulnerability release, the company claimed.

"The security industry is flooded with constant, sometimes daily, warnings of new vulnerabilities, and they vary drastically in their degree of potential damage," said Eschelbeck. "With research like this, we can provide the industry with a statistical look at network threat trends in real time."

© ElectricNet.Net

New hybrid storage solutions

More from The Register

next story
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.