To Patch or Not To Patch?
That Shouldn't Even Be a Question.
I don't work with what would be called IT Pros. My clients are everyday end-users, people I generally refer to as Consumers, who struggle to one degree or another with all the stresses and strains that come along with using a computer today. Occasionally a Consumer contacts me for help. Invariably these new clients need their systems either patched or complete new versions of their software installed. Then so often comes the circular conversation that will revolve around the need for — and firm resistance to — bringing their systems up to date. The most common argument to patching is the rousing chorus of "But it works fine!"
An unpatched computer many indeed work fine for its user, but it also is a fine opportunity for hackers to exploit weaknesses and to compromise the unpatched PC. A study recently released by network security vendor, Cloudflare, offers the most current examples of how quickly cybercrooks can compromise an unpatched system. Although the focus of Cloudflare is securing networks, websites, and cloud services, its findings are relevant to all of us who use the Internet. A study by Cloudflare, titled, "State of Application Security 2024," serves up some startling new facts based on its research. Most notably for our purpose here is that:
Cloudflare observed an attempted exploitation of a new zero-day vulnerability just 22 minutes after its proof-of-concept (PoC) was published.
The most succinct definition of PoC, as it relates to our subject here, comes from Trend Micro.
A proof-of-concept threat is the earliest implementation of a threat and usually contains code that runs on new platforms and programs or takes advantage of newly discovered vulnerabilities.
A proof-of-concept is usually what a security researcher will publish that details a newly discovered vulnerability in computer hardware or software. It is proof that the vulnerability exists. The PoC puts the vendor of this product with the newly discovered vulnerability on notice that its products are faulty, but also provides the vendor with a roadmap on how to fix the flaws in the product. The problem with a PoC is that the PoC also provides cybercrooks with the same roadmap; but for the crooks, it is a how-to guide on ways to exploit the newly discovered vulnerability. It is not uncommon for security researchers to first inform the vendor of the vulnerable product about the details of the PoC before making that research publicly available. This will give the product's vendor time to develop a patch or other means of mitigation in order to secure that product. Sometimes a vendor might reject what the security researcher has found. Or, other times, the researcher for whatever reason will make public its PoC without giving prior notice to the affected vendor. For these reasons and many others, a PoC can become a very volatile piece of information once it is made public.
An unpatched vulnerability that is present and active on the Internet is known in the industry as a "zero-day vulnerability." -Again, we will use the definition offered by Trend Micro.
A zero-day vulnerability is a vulnerability in a system or device that has been disclosed but is not yet patched. An exploit that attacks a zero-day vulnerability is called a zero-day exploit.
So, even an otherwise up to date piece of software can be vulnerable to attack and compromise. As Cloudflare's research now shows ,those who do not patch their systems immediately when a patch is released risk being compromised. End of Life (EoL) products, for which there will no current patches available, are even more at risk. Aaron Klotz, writing for the Tom's Hardware website, May 18, 2024, describes what happened when YouTuber Eric Parker recently connected a Windows XP machine to the Internet.
Two minutes after hooking up his Windows XP virtual machine to the internet, Eric Parker found a couple of viruses that randomly installed themselves on the machine, including a virus dubbed "conhoz.exe." Soon afterward, another virus automatically created a brand new Windows XP account dubbed "admina" that apparently was hosting an FTP file server on the machine.
When Parker installed Malwarebytes antivirus software on the XP machine, the antivirus sfotware found and removed only eight of the many pieces of malware that infected the XP box. Parker repeated his experiment with Windows 2000, and the results were even worse. You may think that no ones uses Windows XP, but that would be a false assumption.
While in the field, I have encountered instances of people still using Windows XP. Windows 7 has also been designated EoL for several years now, but it too is also in use. To this point, my website stats showed 11 instances of Windows 7 being used, and one instance of Windows XP. What these users fail to grasp is this. Given that the Internet is, in fact, one immense world wide network to which all user connect, although these hapless users may not care if their machine is compromised. Nonetheless, any infected PC most likely wll become a node in a botnet. On its website, security vendor, UpGuard, explains well how a computer that has been comprised by a botnet is a security risk for any computer connected to the Internet.
A botnet is a network of malware-infected devices used to launch
coordinated attacks either against a single target, like during a DDoS
attack, or multiple targets like during email phishing attacks.
All infected machines in a botnet are remotely controlled by a single
cyber attacker that could be located anywhere in the world.
Any
internet-facing device capable of being infected by malware can be used
in a botnet, including Internet of Things devices (IoT devices),
computers, servers, and even mobile devices.
The addition of each
compromised device to a botnet compounds the intensity of a botnet
attack, so the larger the number of infected devices in a botnet the
more devastating the cyberattack will be.
In my field experience, the most commonly used software that is EoL is Microsoft Office. The application within the Office suite that is most often under threat is Outlook. July 9, 2024, researchers at security vendor, Morphisec, published its findings about a "vulnerability that impacts most Microsoft Outlook applications." If exploited, the vulnerability "can lead to potential data breaches, unauthorized access, and other malicious activities," explained Morphisec. Known as a "zero-click" vulnerability, according to Morphisec researchers, "Attackers could exploit this vulnerability to gain unauthorized access, execute arbitrary code, and cause substantial damage without any user interaction."
Although discovered by Morphisec and communicated to Microsoft and confirmed by MS in April 2024, it was not patched by Microsoft until the July 2024 monthly updates. Since Microsoft made no reference to any product that predates Office 2016, it is safe to assume that those earlier EoL editions of Office and Outlook were not patched.
And yet, I still find users who have Office 2007, or other EoL versions of Office, installed on their machines and in use. Too often, these are users without any real grasp of the technical issues that revolve around Internet usage, and who often rely on family members, or other so-called experts, to make decisions for them when it comes to their computer usage. One reason often given for the reluctance to upgrade their Office is that an expert might be too often called upon to help out with a new feature or function of the newer version of Office, and they don't want to be bothered. Another objection is the fear of continually be prompted for a password whenever a cloud based Microsoft (Office) 365 app is started — hardly expert advice here.
The ignorance about the importance of good cyber hygiene displayed by much of the public at large, coupled with the apparent abject apathy of people who should know better, but do not seem to care, plays a large part in this ever worsening nightmare of cybercrime. A user's password alone can be invaluable to these crooks. Odds are, if a user doesn't keep their systems current with up to date software, then that same user will often use the same password across multiple websites.
As proof of the value of passwords, and the prevalence of password compromise, July 4, 2024, Cybernews posted an article entitled,"RockYou2024: 10 billion passwords leaked in the largest compilation of all time." Although the article includes some very technical details, the first sentence in the heading tells the whole tale. "The largest password compilation with nearly ten billion unique passwords was leaked on a popular hacking forum." Researchers found that RockYou2024 is "a compilation of real-world passwords used by individuals all over the world," and those passwords are now available to cybercrooks.
In conjunction with its reporting on the database of leaked passwords, Cybernews has posted online a tool that will allow anyone to check if a password has been compromised. The password checker can be had here.
The tool is very simple to use. Simply type the password into the search box and click search. Obviously, if a password is found to have been compromised, that password must be changed immediately. A compromised password found in the database may also be a harbinger of other problems with that Consumer's machine.
source: https://cybernews.com/password-leak-check/
The best defense non-technical Consumers have against being ensnarled in malware. botnets, and all the nefarious ways the crooks cause harm to Consumers is to keep their software up to date. Every morning, the first things I do after making coffee is to check for Windows Updates; Office Updates; and updates to Chrome. And, as a service to the few too clients who have expressed their appreciation for what I try to do to keep people safe online, I text to them what needs to be updated that day. I have come to call that the Updates Du Jour. Office is patched at least once a week, and the same with Chrome. Microsoft now often posts updates out of the regular Patch Tuesday schedule. As part of discussions about recent and novel attacks on Chrome and Office apps, on June 24, 2024, refreshers were posted that explain how to check for updates to Google Chrome and Office. If a reader does not know how to preform these updates, these two Dispatches will help. You see, that's what I do. I help people.
Gerald Reiff
| Back to Top | ← previous post | next post → |
| If you find this article of value, please help keep the blog going by making a contribution at GoFundMe or Paypal | ||