Clock Counting Down on Windows XP Support

Posted By:Rhumba | At:23:03 Be the first to comment!
As Microsoft prepares to cut off support for Windows XP, hackers are sharpening their knives in anticipation of carving up the operating system's carcass.
Web predators will pounce on XP 10 minutes after Microsoft pulls the support plug on the software, predicted one former military computer specialist and network engineer.
Indeed, it appears that information highwaymen are stockpiling ammunition for a series of assaults on the operating system."There are a number of zero-day exploits against Windows XP that have been already discovered but neither reported, nor used in order to be exploited after the support period has ended," Bitdefender reported last week.

"These exploits could stay effective for years, causing damage to the user or company stuck with Windows XP," the report warns. "If, up until now, XP customers had a bad time with malware because they were unable to apply hotfixes [for] different reasons, the situation will become worse as, even if the customers wanted, they would not have any new hotfixes to apply after April 2014."
Feeding Frenzy
Stockpiles of zero day exploits aren't the only vulnerabilities XP users will have to worry about after XP support disappears. Microsoft itself could provide hackers with weapons to attack the OS. That's because each version of Windows shares code and logic from previous versions.
"If you were to find a defect in Windows 8, then that defect probably exists backwards to other Windows versions," Adam Wosotowsky, a messaging data architect with McAfee, told TechNewsWorld.
So clever cybercriminals will be closely studying fixes for supported versions of Windows for clues to XP flaws.
"People can look at those patches and think, 'What were they patching? I bet this same problem exists in XP, but it's not patched because they're no longer patching it,'" Wosotowsky said.
"The security of an operating system drops off a cliff when support ends. It's not that defects exist in the code, it's that they're not getting patched," he noted. "As Microsoft patches recent versions of Windows, it will become a feeding frenzy as hackers use those patches to attack XP."

Office for iPad Security

Microsoft Office users who have longed for a version on their iPads had their wishes fulfilled last week.
Besides satisfying the desires of tablet users, the move also should be welcome by security pros, maintained Wolfgang Kandek, CTO of Qualys.
"The iPad is a much safer device than laptops and desktops. Software installed on it is controlled through the App Store, and the architecture is much newer than what you'd find on a typical Windows computer," he told TechNewsWorld.
"Folding Office into the Apple ecosystem means it gets the same benefits as other apps in the ecosystem," Kandek said.
"For example, you get a streamlined updating process. Many of the problems with software is that outdated, vulnerable versions are being used," he explained. "We'd all be better off if we used the latest version of Office, which was engineered with malicious actors in mind."

Dual Identities

Even with Apple's walled garden model, though, some security concerns will continue to exist, especially since it will be easier to stuff sensitive corporate documents into an iPad and work on them there.
"If you're working on Word docs and potentially sensitive PowerPoint presentations and storing them, then an enterprise needs to make sure those documents remain confidential and aren't leaked," Paul Madsen, a senior technical architect with Ping Identity, told TechNewsWorld.
As with native Apple apps, Microsoft is keen on linking what happens in Office for the iPad to its OneDrive cloud service. That too needs to be scrutinized in an enterprise environment.
"The security of how those documents are pushed up to Micrsoft's cloud is also critical," Madsen said. "Identity management is necessary for both those pieces."
To protect company Office files on an iPad that's used for both work and personal tasks, it may be necessary to give the device a dual personality.
"If you want to reconcile the use of Office with Facebook, Angry Birds and personal email," Madsen observed, "then the current trend is to turn that device into something that supports two identities: the dual persona model, where the enterprise can slice off a corner of the employee's device, impose their own policy, and be confident of the security of their own data -- but not impose Draconian rules on how the employee uses the rest of the device."

Breach Diary


  • March 24. Reports based on documents leaked by Edward Snowden reveal that the NSA spied on servers and executives of Chinese networking company Huawei Technologies.
  • March 24. Microsoft reports vulnerability in its Word program that could allow a hacker to gain control of a computer. The flaw in RTF files can be activated without opening the file if viewed in Microsoft Outlook with its preview RTF files option enabled.
  • March 24. Secure Domain Foundation, a multistakeholder organization, is launched to fight domain-based security threats.
  • March 25. Cross-platform password manger LastPass releases version of its software for Android and Google Chrome in Android.
  • March 25. French consumer group UFC-Que Choisir sues Google, Facebook and Twitter over data collection clauses in their privacy policies. It contends those provisions violate French law.
  • March 25. Data breach notification bill introduced in New Mexico House of Representatives. Measure requires consumers be notified within 10 days of the discovery of a data breach that exposes unencrypted personal data of consumers.
  • March 26. Two banks sue IBM company Trusteer claiming the company failed to adequately protect Target from hackers that breached the retailer's systems last year and stole payment card and personal information of some 110 million customers. Trustmark National Bank and Green Bank N.A. are seeking US$5 million in damages from Trusteer and Target, also named as a defendant in the lawsuit.
  • March 27. Yahoo reports government requests for information about its users declined in the second half of 2013 compared to the first half, to 21,425 from 29,740. Meanwhile, such requests jumped at Google to 27,477 from 25,879.
  • March 27. Christian Decker and Roger Wattenhofer of the Distributed Computing Group at the Swiss Federal Institute of Technology Zurich release study discounting Mt. Gox bitcoin exchange operators' claim that malleability attack was used to steal $500 million in bitcoins from the exchange.
  • March 27. President Obama announces suspension of government's bulk telephony metadata program. Data will remain with phone companies and may be only accessed by government agencies with a court order.
Categories:

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)