What is happening in the security world this month and how does it affect you? Let’s take a look at important October security updates from around the globe.
Microsoft
Another month, another set of patches from Microsoft. The one to watch for this month is MS11-076. This fixes a problem with Media Center that is being exploited all over the Internet. If you are using Microsoft technology to watch media, apply this patch as soon as you can. There is also an update for ISS that patches a hole attackers were exploiting to run code on your servers… so please remember to apply updates to your web servers. The last one I want to specifically point out is a patch to Forefront. This is yet another example of Microsoft’s security technologies REDUCING rather than improving protection. If you are using Microsoft technology as the only layer for protecting Microsoft technology, you might want to consider whether that is actually a reasonable defense.
There are other patches considered critical on your workstations, but not interesting in their own rights. By the time you read this, they should all have been patched. If they have not been, you should really ask yourself whether leaving your business unprotected for a week is really in your best interest. If your workload is too high to get patches out in a reasonable amount of time, you may wish to consider technological assistance. While good patch management systems aren’t free, they often pay for themselves in short order.
Apple
While the news of Steve Jobs’ passing made front pages everywhere, the news about the recent set of updates did not. These updates cover both OSX and the Windows version of iTunes. Unlike other vendors who release patches on a fairly regular schedule, or at least, on an “as needed” basis, Apple likes to bundle theirs with new functionality. This is good in that it forces people to get the latest security patches to use new features, but bad in that the window of opportunity exposed to an attacker is much larger than it really should be. If you are using OSX, I strongly recommend you also run the free Sophos protection suite to protect yourself while Apple goes through their process.
I also want to point out the new Windows version of iTunes is NOT dependent on Quicktime. Once you update iTunes (if you use it), this would be a great time to remove Quicktime altogether. Odds are the Windows system will handle those files just fine, so all Quicktime is doing for you is providing another application for attackers to target.
Lastly, be aware that in some cases, the OSX update has caused problems for people applying them. Do a bit of research before you initiating the update so you know what to do if it doesn’t apply cleanly. Worst case, the friendly folks at the Apple store should be able to fix it for you.
Sony
I really wish I wasn’t still writing these. Sony was attacked in April of 2011 and the attacks seem to just keep coming. In the most recent iteration, 93,000 PlayStation Network users were attacked (again). Sony is showing improvement in how they are handling these sorts of incidents, but clearly, people are still getting through.
Fundamentally, even if Sony were perfect, there is a limit in what they can do to protect you. Remember, security systems only protect those that protect themselves. If you are sharing passwords between sites, using simple passwords or not reviewing your credit card statements, you are substantially raising the risk to yourself.
VMware
Another set of updates to VMware were released last week. Bear in mind that VMware ESX is an operating system on which other operating systems run, so you have to patch both levels. VMware is pretty good about testing their updates and releasing them in a reasonable time frame, but you have to help them help you by applying the patches when they come out. Far too many people take a “we’ll do it tomorrow” approach to what they consider “infrastructure” patches, which just makes them easier targets over time. If you’re not patching your VMware systems, switches, routers, firewalls, etc., your risk level is likely a lot higher than you think it is.
RSA
Details from the RSA attack earlier this year are starting to emerge. We now know that there were two groups from a single nation state behind the attack. The fact it was two groups and not just one is fascinating to those of us that track those things, but entirely useless information to most of you, so I shan’t dwell upon it. Instead, consider the other piece of news. This attack was of the type we are increasingly seeing. The GOVERNMENT of a foreign country targets a COMPANY. Sure, you may feel like your technology and operation procedures are sufficient for blocking the idle attacker or the disgruntled employee, but are you prepared to take on a team of highly-skilled attackers employed by a foreign government and focused directly on you?
Most people aren’t.
Facebook
The fight between an Austrian student and Facebook has reached epic proportions and is now being followed very closely by privacy experts. While the specific issues only seem to be legally actionable in the European Union, it is worth reviewing the specific complaints. If you care about your privacy, read the TWENTY-TWO complaints against Facebook and consider whether you trust your personal information with the social media giant.