Computer Security Will Never Be the Same
This has been a remarkable month and the impact on how I view computer security will never be the same. The last time anything like this occurred was in the 90’s when I was infected with a complex worm looking to steal AOL passwords. When customer support told me to format my hard drive it encouraged me to create WinPatrol. The concept used in WinPatrol had never been done before but since my programming skills were busy on other projects it remained just a side project.
I started April 2014 making it clear what Microsoft’s lack of support for Windows XP would really mean. By the end of the month the worse case prediction appears to be coming true. Microsoft received details of an active zero-Day vulnerability from security platform developer, FireEye. Not only does this threat affect nearly all versions of Internet Explorer and Windows, attacks using this vulnerability are currently being reported.
The software already “in the wild” uses a Flash(.swf) file to call JavaScript in Internet Explorer eventually accessing protected memory that had been randomized as a form of protection. The entry method has been a known flaw since last October but until now wasn’t found to trigger this kind of attack. Microsoft has posted a new security advisory at https://technet.microsoft.com/en-US/library/security/2963983. The Microsoft Security Response Center has been working through the weekend testing a solution they hope to release soon. Even though the flaw is in Internet Explorer if you’re using Windows XP you won’t receive an update. No matter how much you’re tempted to view a video you hear about on Facebook, Twitter or in your Email, don’t do it.
The other major concern in April was called Heartbleed. While the media coverage was over the top, few really understood what this software failure meant. You may have heard that 66% of the worlds web servers were affected. In fact, less than 7% were actually running a version of the program OpenSSL that allowed access to 64kb chucks of data belonging to others. Even with this seemingly low number, Heartbleed opens up a couple of troubling issues. Problem #1: Data exposed by this flaw was raw and unencrypted. It was available to anyone no matter how secure you made your computer or how sophisticated the attack. The attacker didn’t need to know you to access your data. Problem #2: This event demonstrated how defenseless we all are any time we use the Internet. This was the result of a programmer and reviewers missing a simple error. I can only imagine how much of the Internet uses software with existing backdoors created by design.
This year I’ve done a lot to make WinPatrol easier and useful to a wider audience. Given these serious threats my motivation hasn’t diminished. The basic concept of WinPatrol detecting changes continues to be a model that make sense. While some attacks may require the PLUS version we have one advantage. Ironically, WinPatrol isn’t always taken seriously so it continues to notify users while many popular Anti-Virus programs are disabled.
.
UPDATE 5/2/2014
Microsoft has released a security update on May 1st. This update will repair the failure found in Microsoft Internet Explorer.
Security Garden: Out of Band Security Update for IE Zero-Day Vulnerability
The patch is available as a Windows Auto Update. Microsoft surprised many by making this available on machines running Windows XP.
WinBeta: I’m sorry Windows XP users, but Microsoft shouldn’t have patched your OS
Labels: HeartBleed, Internet, Laptop, Microsoft, OpenSSL, privacy, safety, Security, Vulnerability, WinPartrol, x64, Zero Day