I found these three articles while catching up with my feed reader today, and all of them are worth reading.
The first one is important for all Microsoft users…Security Fix says that there’s a New Attack that Piggybacks on Microsoft’s Patch Service. That means that we finally got the final MS killer app..virus and trojans installed automatically by your computer, without *any* actions from the user! How cool is that? :)
The real danger is — assuming the Trojan sneaks past a user’s anti-virus software — the user’s software firewall likely would not detect the outgoing connection when the victim’s machine starts downloading the second-stage payload. That’s because BITS is a legitimate system service that the firewall would allow by default or the user long ago allowed it permanent access in and out a firewall.
This technique depends on you getting infected by a trojan first, at least that’s how Frank Boldewin first saw it used. Said trojan then uses BITS to download the rest of the payload in a “second stage” and gets your computer ready for whatever the perpetrator wants to use it for. So…keep your avir programs up to date, and pray that your provider has a way to catch the initial trojan before it gets in.
The second interesting article also comes from Security Fix, and reports that Firefox Surfers More Likely Patched Than IE Users. Secunia, an Internet Security vendor, researches what software is unpatched on desktop computers. Out of 4.9 million programs they checked, 1.4 million were missing critical security patches that were already released. That is, 28% of the programs they scanned were security holes waiting to be exploited.
Among browsers, they checked Firefox, IE and Opera…and found that Firefox2 was the least vulnerable (aka, the one users kept up to date the most), with only 5.19% of FF installations being unpatched, while 11.96% of Opera 9.x installations were unpatched and 9.61% of IE6 and 5.4% of IE7 users hadn’t kept up with the patching.
All of these stats are for Windows programs, the only OS they check. How is your computer doing? Check it with Secunia’s software inspector.
The last article I found was, as it often happens, a post by Bruce Schneier, this one asking Is Penetration Testing Worth it?
He goes on to analyze both sides of the debate, whether it’s an important security tool or whether it’s just a great way to get taken to the rack when your company is sued and the opposing lawyer figures out that you haven’t fixed the 2,152 possible ways to break into your network that the latest pen test reported you.
If you think about it, penetration testing is an odd business. Is there
an analogue to it anywhere else in security? Sure, militaries run these
exercises all the time, but how about in business? Do we hire burglars
to try to break into our warehouses? Do we attempt to commit fraud
against ourselves? No, we don’t.
Go check all 3 articles (and run your windows box through Secunia’s software inspector) and enjoy.
Technorati Tags: firefox, internet explorer, penetration testing, bruce schneier, secunia, microsoft patch service vulnerability
Tags: Security
If you enjoyed this post, make sure you subscribe to my RSS feed!!
