Wednesday, April 30, 2014

Fire Sale threat from XP, Heartbleed & IE bugs

Only weeks after the Heartbleed bug was discovered and Microsoft stopped support for Windows XP another major security issue has been revealed which may further compound problems for Internet users. The issue is so serious that some have suggested these security holes could allow hackers to initiate a 'Fire Sale' cyberattack.

Microsoft security holes

On Saturday 26th April Microsoft reported that a security hole existed in all versions of Internet Explorer from version 6 through to 11. The issue has been deemed so serious that the US and UK governments issued an unprecedented advisory saying that people avoid using the browser until the hole is patch and instead use Google Chrome, Mozilla Firefox of Apple's Safari browser [Daily Mail / Washington Post / CNET].

Microsoft said it was already aware of "limited, targeted attacks" to exploit the security flaw which could enable hackers to gain access and user rights to a computer [BBC]. This could allow hackers to obtain passwords, remove and syphon off user date or insert malware and turn the PC into a botnet.

The discovery is significant given the huge number of people still using the browser. Estimates for Internet Explorer's overall market share range from 27.4% to 54.13%, as of October 2012.

No support for XP

The discovery is all the more worrying given the exploit appears to have been present for at least 12 years since it exists in version 6 of the browser. Furthermore, whilst Microsoft will eventually issue a patch there will be a great many users who will not receive it. Anyone still using Windows XP will not receive any support for their operating system and that includes security updates for Microsoft products such as Internet Explorer.

Again estimates vary, but there are still a significant number of people who continue to use Windows XP. The operating system, originally released in 2001, is still used by many government organisations who have failed to upgrade, often due to cost implications. Windows XP is also used in many ATMs, and while those systems could also be vulnerable to hackers most are in closed systems [ZDNet / Bloomberg / ZDNet].

China threat

While individual users can mitigate risk by using a different browser and operating system, the risks come from those who fail to update their systems. China in particular is a case in point. Windows XP is estimated to run on almost 70% of China's computers, while it's only used by 27% by the rest of the world. And while some security firms such as Qihoo 360 have taken on the task to update users not everybody will receive updates [CIO / EcumenicalNews].

China's users of Windows XP must of course register for the product. However many of China's computer users do not have legitimate products and there is a poor understanding of the importance of updating operating systems and software. According to Microsoft 90% of their software used in China, including Windows XP, is pirated meaning most computers have never been updated & are ripe for exploitation [Engadget].

As such millions of users in China could find their computers being taken over and used for malicious purposes. According to one top white-hat hacker, James Forshaw, a vulnerability researcher for Context Information Security, unsupported Windows XP machines in China could pose a threat to the Internet in general if bot-herders round up significant numbers of them to use as launch pads for malicious exploits [NetworkWorld]. This could spell disaster for millions of people not only in China but around the world.


The problem lies in the fact that most people do not take computer and Internet security seriously enough. While one individual may increase their own layers of security such as installing timely operating system updates, running anti-virus software such as Norton or McAfee, and using password managers, others both in professional and non-professional quarters do not.

Thus data shared between one individual and another might not be secure if the third party has failed to take care of their own security. Even if you don't do Internet banking, the data held on some social networking sites could still be useful to criminals. And while one individual might keep their password safe and secure, another user and 'friend' might not. Following Heartbleed many people failed to update their passwords for compromised services which included Facebook amongst others. Thus a hacker, taking advantage of the Heartbleed bug, could potentially access some users' accounts and use that access to create phishing attacks or sift for information about others.

Patching holes

More worrying is where banking or financial institutions continue to use systems that are vulnerable. For example there are suggestions that Windows XP can put SOX, HIPAA and credit card security-compliance at risk [NetworkWorld].

Some firms and governments have paid Microsoft for continued updates. The British government, for example, has paid the software giant £5.5 million for continued support for one more year [Guardian / Telegraph]. The Dutch government has also paid Microsoft to keep its systems updated [ZDNet]. However these measures are merely a stop-gap and will not address the issue in the long term.

Lack of information

Indeed the publicity and understanding of a security threat can be a major factor in mitigating such security threats. Given the number of people potentially affected by the ending of support for Windows XP, the Heartbleed Bug and the security holes in Internet Explorer, the reportage has been relatively scant. Many companies failed to inform their users and information outside tech websites was often confused and contradictory.

'Fire Sale'

Of course Ukraine, the Korean ferry disaster and European elections are important issues. but the recent security issues are arguably far more significant. Indeed some have suggested these recent holes and exploits could lead to a 'Fire Sale', a term used to describe a hypothetical attack by computer hackers on vital networks [Wired].

The term 'Fire Sale' was first coined in the Die Hard movie "Live Free or Die Hard" in which hackers attempted a cyberwarfare attack that performed a three-stage systematic attack on the United States' computer infrastructure.

The film may well have been fiction, but the shocking truth is that the world's computer systems are vulnerable to attack and common flaws make such attacks easier and more likely.

tvnewswatch, London, UK

No comments: