Patch often: Cyber-crim toolkits love stinky old gaping holes
Updating software is better than relying on AV - shock finding
More than two in three exploits kits that attempt to inject malware into web surfers' computers were developed in Russia - and at least one in two exploit rather old vulnerabilities.
Blackhole 2.0 is the most often used hacking toolkit - installed on websites to attack and take over visitors' computers - but it targets fewer software security holes than rival cybercrime kits. That's according to a fresh report by managed security biz Solutionary.
Contrary to hype that exploit kits target unpatched flaws in products, Solutionary found the majority (58 per cent) of exploited vulnerabilities were more than two years old.
The company reviewed 26 commonly used kits and discovered code abusing security bugs dating as far back as 2004, evidence that old vulnerabilities continue to be mined for profit for cybercrooks. Criminal hackers typically compromise otherwise legitimate websites to plant hacking toolkits and distribute fake antivirus software, banking Trojans and other nasties.
Researchers at the security firm concluded that antivirus products cannot detect 67 per cent of malware being distributed, a finding that is likely to be controversial. The practical upshot is that surfers would be wise to regularly update applications - especially Adobe Flash, web browsers and the Java runtime - rather than rely on security scanners to block any attacks that come their way.
"Exploit kits largely focus on targeting end-user applications,” said Rob Kraus, a director of security research at Solutionary. “As a result, it is vital that organisations pay close attention to patch management and endpoint security controls in order to significantly decrease the likelihood of compromise."
A complete copy of Solutionary's Q4 2012 threat report can be found here (registration required). ®
Re: how many times have I correctly told you that AV software doesn't work
Perhaps you get voted down for stuff unrelated to the post; for being a bit smug perhaps.
"how many times have I correctly told you that AV software doesn't work"
So no anti virus software has ever picked up any malware?
Good, on that basis everyone should remove it immediately, as you say it's not needed, and there have NEVER been any detections, ever!
I feel much safer.
Next week folks, remove seatbelts, air-bags and crumple zones from your cars as not crashing is the best method of defence.
Re: "So we should regularly update our Java runtimes?"
Or just not use the Java plugin.
It's amazing how many people are completely confused by the fact that having a "Java runtime" or a "Java JDK" does not imply that it will run Applets from the Internet unless the browser has been configured to do so or one runs JNLP files indiscriminately. Additionally, JVMs from some vendors may exhibit security problems, JVMs from other vendors may not.
In the December 2012 of IEEE Computer, Lee Garber (IEEE Computer Society’s senior news editor) writes about the Java (or rather, the Snoracle) Security wobbles and seems to be totally unsure about the difference between applet running and application running. He then cites Gary McGraw, chief technology officer of software-security consultancy Cigital (who he?) who proceeds to say:
“Java is beginning to show its age. There are many newer platforms that might be better from a security perspective, such as Ruby on Rails, HTML5, and .NET.”
Total confusion. Or lazyness. Or worse. RoR for running applets? .NET?? Securely??? I don't think so.