In my previous post we discussed Shellshock, the GNU Bourne Again Shell (Bash) vulnerability which was made public last week. News continues to pour in as the researchers and vendors (and probably a few blackhats) try to understand the true scope of the problem. So today we’ll discuss a few updates to the situation since we published the other day.
That’s what the IT folks at a major aerospace engineering firm told my friend DS when he couldn’t log onto their intranet last week. That something shut down their entire system for an entire day.
Google has announced that it is assembling a crack team of researchers, devoted to finding and reporting security holes in widely used software.
According to Google security engineer Chris Evans, the group – which has been dubbed “Project Zero” – aims to uncover unpatched security vulnerabilities before they are exploited in targeted internet attacks.
IT admins can’t seem to catch a break this year. First, the never ending stream of Java issues that has kept folks on their toes since January. Now they’ve got another busy month of patches ahead of them, with 7 total patches from Microsoft, 4 of which are critical. However, once again the issues outside of Microsoft will likely eclipse the Patch Tuesday patches this month.
While many are jumping on the ‘Death to Java’ bandwagon and ranting about turning off Java to eliminate risk, it is important to put the issue in the proper context: the reality of the matter is a Java vulnerability is not the end game for a cyber criminal; it is merely a delivery mechanism in the quest to install a bigger malware foothold.
It’s going to be a rough Valentine’s Day for many IT admins this month. With ongoing issues with Java and 12 bulletins from Microsoft, including 5 critical issues and many restarts, it’s going to be a very disruptive Patch Tuesday.
It’s disturbing to note how many different Microsoft platforms are critically affected this month.
Before virtualization even became an official buzzword, IT industry watchers began pointing to its security risks. Now that virtualization is mainstream, few will come out and say virtual environments are inherently less secure—but there remains a tendency to deploy virtual servers and virtual desktops insecurely.
Of course, with that tendency comes the potential for security breaches.
So far, it looks like 2013 is off to a fairly average start with 7 bulletins: 2 critical and 5 important. You may recall that January of 2012 also came in with 7 bulletins, though only 1 was critical. After closing out 2012 with more consistency in the number of patches per month, we can only hope that 2013 will continue in that same vein.
Ransom-ware has matured since it was first seen in 1989 with the PC Cyborg Trojan. Today, it is big business for cyber criminals; and for good reason. A September article reported cyber criminals could earn between $50,000 and $60,000 a day by focusing their efforts on just a couple of countries.
The severity of ransom-ware’s impact depends on the specific software used in the attack.
IT has 7 patches to deal with in December; 5 are critical and 2 are important. Fortunately, none are currently under active attack so that will hopefully set IT’s mind at ease as they begin to apply this set of patches.
2012 in Review
With the multitude of third-party application patching needed this year from the likes of Adobe,
I’m concerned about the results of our fourth annual State of the Endpoint study just completed by the Ponemon Institute. Over the years, IT pros have reported shrinking confidence in the security of their networks. While this year is no different, the number of IT security pros who responded no, they are not more confident or don’t know has edged up yet again.
While not an all encompassing review of the security features available in Windows 8, this post takes a quick look at some of the more noteworthy capabilities in this latest iteration from Microsoft.
Windows 8 Base Security Features
Windows Defender has evolved from a spyware product to a relatively good malware defense product.
Is this September’s light Patch Tuesday a reflection of the maturity of Microsoft’s secure coding initiatives? One can only hope…
Some vendors scrambled with repeated emergency patches last week just days apart and others seemed to just shrug off multiple day zero vulnerabilities. To the delight of IT pros everywhere though, Microsoft has given us the least disruptive Patch Tuesday we’ve seen in a long time.
IT administrators will have to deal with more fireworks this month with Microsoft’s Patch Tuesday. This month there are 9 patches, 3 of which are critical and 6 important. This is more than double last year’s July patches: 4 total, with only 1 critical. This puts Microsoft at 51 bulletins for 2012, about on par with 2011,