Secunia: More work needed on patching

Secunia: More work needed on patching

News Secunia: More work needed on patching Danny Bradbury Users are still not patching software frequently enough, according to a report from vulnera...

45KB Sizes 3 Downloads 96 Views

News

Secunia: More work needed on patching Danny Bradbury Users are still not patching software frequently enough, according to a report from vulnerability scanning company Secunia. The firm, which released its 2008 report in February, found that large percentages of key applications installed on client devices were insecure. Its Personal Software Inspector, which lists all unpatched applications, found that 96% of the 503 000 copies of the Java runtime environment 5.x installations that it found were unpatched and insecure. Eighty three percent

IN BRIEF

of the Macromedia Flash player 6.x installations it found were insecure, and two thirds of Java Web Start were unpatched. “But even Microsoft has problems getting users to patch,” said

EU ISP law not OK

the report.

March saw the European Union Data

“Some 44% of all Word 2003 installations are vulnerable, and the reason is obvious:

Retention Directive coming into force.

Windows Update only covers certain Microsoft products. For better coverage users need to

The new law requires that ISPs store IP

install Microsoft Update.”

interactions by their customers for up to a year. Law enforcement and security experts will be able to request access to the information to help combat terrorism and cyber crime, but only with a court order. The legislation has sparked serious concerns from privacy groups, IT security firms and

Ironically, given the problems with its latest zero-day attack, Adobe fared relatively well. Only a quarter of the Adobe Reader 8.x installations that Secunia found were insecure. “We still have a lot of work to do, or rather, the software vendors still have a lot of work to do,” the report continued. “Apparently their software is too hard to patch, resulting in too many of their users giving up.” The large numbers of infections following the release of the Conficker worm illustrate that point. Millions of machines became infected, even though a patch was made available late

legal experts.

last year.

Downwardly mobile

The number of zero day attacks reported decreased from 20 to 12 in 2008, found

A survey of commuters by data protection

the report. Microsoft remains a target of many malware authors due to the ubiquity of its

company, Credant Technologies, has

software. Nine of last year’s zero day attacks affected Microsoft software, with the other three

reported that 80% of mobile phone users

targeting ActiveX controls, meaning that Microsoft products were still an attack vector.

store information on their devices that could

This story first appeared in Computer Fraud & Security, www.computerfraudandsecurity.com

be used to steal their identities. Six hundred commuters were interrogated at London railway stations about their mobile phone storage habits. Sixteen per cent admitted to saving bank account details onto their mobile phones, while 24% used them to keep a note of their pin numbers and

Anti-phishing organisation launches common reporting standard Danny Bradbury

passwords. Forty percent did not protect

The non-profit Anti-Phishing Working Group (APWG) has unveiled a common cyber-crime

their devices with a password.

reporting format that it hopes will make it easier for private organisations and law enforcers to share information. The protocol, based on an existing security incident reporting format,

Bogus bomb, somewhere near you

will be used to support a hosted collaboration system hosted by the group. The format is called the Extension to IODEF-Document Class for Reporting Phishing,

Security labs have discovered a variant of

Fraud, and Other Non-Network Layer Reports. It builds on the Incident Object Data Exchange

malicious spam that is engineered to report

Format created by the IETF, which was designed to let computer security incident response

an exploded bomb within the recipient’s

teams (CSIRTS) exchange information on security incidents.

vicinity. The ‘waledac’ variant, containing an apparent link to a Reuters website, shows the geolocation of the explosive as corresponding to the users IP address. The story, perhaps designed off the back of recent terrorism-related events, claims that 12 people have been killed in the blast, and over 40 wounded. Links to Wikipedia and Google are also included to convince the recipient of the veracity of the report.

APWG chair David Jevans said that the system could be used to identify trends across organisations that may otherwise have gone unnoticed. “You might not notice something if you’re just one bank, but if 10 banks share this information then you will start to see these patterns,” he said. The reporting format will form the basis for the expanded APWG online reporting system, which Jevans says has been four years in the making, and which will be unveiled at the third Counter eCrimes Operation Summet (CeCOS) in Barcelona in May. The APWG already operates a phishing URL repository that enables partners to share information at a single point. The expanded system will harbour information such as source IP addresses for malicious attacks, sites that are recruiting money mules, and domains that are being registered for malicious purposes. The system will also make it easier and

6

APRIL 2009