two
Volume 6, Number 25 -- June 25, 2008

Patches? We Don't Need No Stinkin' Patches: Survey

Published: June 25, 2008

by Alex Woodie

People aren't applying Windows patches from Microsoft, according to a new survey released yesterday by anti-malware software vendor Sophos. The study found that 63 percent of corporate PCs surveyed were missing at least one patch that addressed vulnerabilities in Windows, Office, Internet Explorer, Windows Media Player, or Macromedia Flash, providing "low-hanging fruit" for cybercriminals to exploit, Sophos says. But others say there's no way to keep up with all the patches, and that they don't always protect you, anyway.

As part of its Endpoint Assessment Test, Sophos ran its online scanning tool against 583 PCs located around the world for 40 days. The test looked for security vulnerabilities, including missing Microsoft security patches, disabled client firewalls, or missing endpoint security software updates.

The results, which can be viewed here, are slightly disturbing. Sophos found that 81 percent of the PCs failed one or more of the tests, more than 60 percent were missing Microsoft or Adobe Macromedia patches, 51 percent had disabled client firewalls, and 15 percent had out-of-date or disabled endpoint security software, such as antivirus or anti-malware software.

Only 37 percent of machines analyzed by Sophos were fully patched, and only 47 percent had a firewall enabled. "Ultimately, machines that fail such a test represent 'low hanging fruit' for cybercriminals and a real danger to their corporate networks," said Bill Emerick, Sophos vice president of product management for network access control products.

Considering that the number of reported security vulnerabilities across operating systems and applications has decreased over the last 12 months, could it be that people have just become complacent about applying patches? Doubtful, says Roger Thompson, chief technology officer of Exploit Prevention Labs, which develops intrusion detection systems.

"Microsoft does a great job of testing their patches, but they can't test against everything," he says. Microsoft often publishes 10 patches every month, and the workload of testing each of these patches against mission critical applications can be overwhelming. "Corporations are trying to be choosey about which patches they deploy," he says. "On a monthly basis it's a war of attrition."

While users struggle to keep up with their patches, the Internet continues to become a more dangerous place. Here are some sobering security statistics:

  • Phishing Web sites are exploding across the Web, according to Symantec's latest Internet Security Threat Report. During the last six months of 2007, the number of phishing Web sites jumped 650 percent, from 13,400 phishing Web sites to 88,000 phishing Web sites.
  • Trojan Horse attacks were up 300 percent during the second half of 2007, according to Microsoft's Security Intelligence Report, released in April
  • The widespread availability of easy-to-use malware toolkits in 2007 lowered the bar to entry to become a cybercriminal, according to the annual report on the state of information security by IBM's Internet Security Systems (ISS) division
  • Parasitic crimeware, which is software designed to steal information using the traditional techniques pioneered by virus writers, is expected to grow by 20 percent this year, according to McAfee's Avert Labs' annual top 10 list of security predictions

If there was any good news coming out of Sophos report, it's that up-to-date anti-malware was installed on 85 percent of the surveyed systems, which can help protect users against the threats listed above.

The Web, from which security firms extract 20,000 to 30,000 new malware samples per day, is the real problem, Thompson says. "Firewalls keep out most things, but they don't keep out Web traffic," he says. "When you start a Web browser session, it becomes an instant tunnel through the firewall, the code gets back to the desktop, and that's how people get nailed. Whether they use my product [called LinkScanner] or somebody else's, they need something that filters the Web traffic, the HTTP stream."

It's probably worth noting that the best protection from network-based threats--or any information security threats, for that matter--will always be to have multiple layers of security, providing overlapping redundancy in the most critical areas. That means users should do their best to install patches from Microsoft and other vendors, they should turn on their firewall, and--within a reasonable amount of time that should be spent on testing--they should install Microsoft's patches.


RELATED STORIES

Symantec Combats Phishing with New Services Offering

Decline In Vulnerabilities Belies Threat Increase, Microsoft Says in New Security Report

Surf's Up for Web-Based Organized Crime, IBM X-Force Says

Bleak Outlook for Information Security, According to Researchers

In Search Of a More Secure Internet

Security Attacks and Breaches on the Rise

MPack Hacker Tool Claims 10,000 Compromised Web Sites


                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot

Sponsored By
DANIK CONSULTING

Handcrafted Web Apps Large and Small

A New York City-based boutique IT Consultancy specializing in custom-built, high-end, database-driven web applications for businesses.

If you need a web application built, whether it's in ASP.NET, PHP, or Advanced Mongolian Kung-Fu, we can do it - quickly, with a minimum of fuss, and on budget.

Find out more at www.danikconsulting.com
Editor: Alex Woodie
Contributing Editors: Dan Burger, Joe Hertvik,
Shannon O'Donnell, Timothy Prickett Morgan
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

COMMON:  Join us at the annual 2009 conference, April 26 - April 30, in Reno, Nevada
MoshiMoshi:  An Interactive Experience for the System i Community.
Solidcore:  File integrity monitoring for PCI DSS compliance starting at $25/node
 
 

IT Jungle Store Top Book Picks

Getting Started with PHP for i5/OS: List Price, $59.95
The System i RPG & RPG IV Tutorial and Lab Exercises: List Price, $59.95
The System i Pocket RPG & RPG IV Guide: List Price, $69.95
The iSeries Pocket Database Guide: List Price, $59.00
The iSeries Pocket Developers' Guide: List Price, $59.00
The iSeries Pocket SQL Guide: List Price, $59.00
The iSeries Pocket Query Guide: List Price, $49.00
The iSeries Pocket WebFacing Primer: List Price, $39.00
Migrating to WebSphere Express for iSeries: List Price, $49.00
iSeries Express Web Implementer's Guide: List Price, $59.00
Getting Started with WebSphere Development Studio for iSeries: List Price, $79.95
Getting Started With WebSphere Development Studio Client for iSeries: List Price, $89.00
Getting Started with WebSphere Express for iSeries: List Price, $49.00
WebFacing Application Design and Development Guide: List Price, $55.00
Can the AS/400 Survive IBM?: List Price, $49.00
The All-Everything Machine: List Price, $29.95
Chip Wars: List Price, $29.95
 
The Four Hundred
The AS/400's Grandfather Talks Past, Present, and Future

IBM Offers Modest Discounts on i 525 and M25 Entry Boxes

Consistent Change Offers Adjunct Services for SoftLanding Tools

As I See It: Flights of Fancy

Agilysys Hires JPMorgan for Possible Sale

The Linux Beacon
The Top 500 Super Ranking Now Counts Watts as Well as Flops

Red Hat Launches oVirt Embedded KVM Hypervisor Project

openSUSE 11.0 Out the Door and On the Street

As I See It: Flights of Fancy

HP Donates the Guts of Tru64 Unix's File System to Linux

Four Hundred Stuff
DRV Cleans Up i OS Spool Files with ReportFlex

Agilysys Introduces New Software for Hotels

Subversion SCM Tool Becomes More Robust with Version 1.5

Cast Iron Simplifies NetSuite Integration with Appliance

Virtual Servers Keep On A Rollin', Thanks to uptime software

Big Iron
HP Launches NonStop Blade to Chase Mainframes and Unix Apps

Top Mainframe Stories From Around the Web

Chats, Webinars, Seminars, Shows, and Other Happenings

Four Hundred Guru
Creating an RPG-based Web Service Using WDSC, Part 1

SQL May Be Catching Up with DDS

Admin Alert: Redundancy is Good, Redundancy is Good, Re…

System i PTF Guide
June 21, 2008: Volume 10, Number 25

June 14, 2008: Volume 10, Number 24

June 7, 2008: Volume 10, Number 23

May 31, 2008: Volume 10, Number 22

May 24, 2008: Volume 10, Number 21

May 17, 2008: Volume 10, Number 20

The Unix Guardian
Fujitsu-Siemens Finally Does Solaris on Primergy

The Top 500 Super Ranking Now Counts Watts as Well as Flops

Sysload Delivers Fine-Grain Monitoring for Virtual Servers

Mad Dog 21/21: iPhone Home

The World Can't Get Enough Disk Array Capacity

Four Hundred Monitor
Four Hundred Monitor's
Full iSeries Events Calendar

THIS ISSUE SPONSORED BY:

IT Security
Storage Guardian
Danik Consulting
World Data Products
MKS


Printer Friendly Version


TABLE OF CONTENTS
Bye Bye Bill

Supercomputers' Need for Speed Satisfied with Windows HPC Server '08

Patches? We Don't Need No Stinkin' Patches: Survey

Windows Boss Discusses 'Downgrade Rights' for XP, Windows 7 Compatibility

The Top 500 Super Ranking Now Counts Watts as Well as Flops

But Wait, There's More:
Cast Iron Simplifies NetSuite Integration with Appliance . . . Rackable Systems Pushes the Server Density Envelope with New Gear . . . Enterprises Are Judged by the Measure of IT Performance . . . Virtual Servers Keep On A Rollin', Thanks to uptime software . . . Sun Adds Low-End Constellation Switch, New Quad-Socket Blade . . .

The Windows Observer

BACK ISSUES





 
Subscription Information:
You can unsubscribe, change your email address, or sign up for any of IT Jungle's free e-newsletters through our Web site at http://www.itjungle.com/sub/subscribe.html.

Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc., 50 Park Terrace East, Suite 8F, New York, NY 10034

Privacy Statement