I have two high profile security stories for you today. The first one is that researchers at HP (honestly, I didn't know HP did this kind of research) found a bug in Internet Explorer that gets through the
Address Space Layout Randomization (ASLR), This is feature is used in IE to keep browsers safe from static memory attacks.
"ASLR came into being at a time when many exploits relied on static memory address values. Adding some randomness to the memory layout increased the difficulty for attackers and caused many basic exploits to fail." -Dustin Childs (HP) The somewhat good news is that this vulnerability only affects 32 big IE browsers. If you're running 64 bit IE, you don't need to worry.
 |
Microsoft isn't interested in
patching this[ASLR] vulnerability. |
What about a patch you say? Apparently, Microsoft isn't interested in patching this vulnerability. According to HP,
"Since Microsoft feels these issues do not impact a default configuration of IE (thus affecting a large number of customers), it is in their judgment not worth their resources and the potential regression risk." - Dustin Childs (HP). HP's team had brought this vulnerability to Microsoft's attention back in February of this year. Since there isn't interest in patching this hole, HP has released proof-of-concept code. Here's hoping that media attention will get Microsoft off their butt and do what they need to to protect us. While it's easy for them to say to use a new browser and one that's 64 bit (or better use, use an alternative like Chrome or Firefox), the reality for us IT pros is that we can't do that for all our business applications, because a lot of them depend on stupid IE! I hope that there will be a patch soon that I can deploy through WSUS soon.
Tonight's second story is involving good 'ol Apples. Don't worry, the apples on your kitchen counter are fine, you just have to worry about the pretty devices sitting on your computer desk. Seriously, it's about time the Apple community wakes up and realize that their beloved OS is not as secure as Apple has preached about in the past.
Security through obsecurity only works when the tech isn't well know, and Apple is one of the most recognized brands today. Hackers took advantage of a
hole in MacKeeper, which is a security and cleanup utility for the Apple ecosystem. While the
hole has been patched, not everyone has that patch. If you didn't know about it, don't worry, it was kept on the down low. If you're using MacKeeper, make sure you have the most up-to-date version, or remove it if you aren't using it. Take my advice now, if you are using an Apple device and aren't taking precautions on what you download or click on, you better learn quick before these attacks pick up.
Jimmy Tassin is the IT Manager of Midwest Regional Bank and has been involved with the Technology field for over thirteen years. His two hobbies are overseeing the daily operations of OmniKraft, a Minecraft server community, and writing at Goblinbyte.com.
0 comments:
Post a Comment