Lies, damned lies and chomping on the number of OS X CVEs

A few years back, so the story goes, there was an operating system that was impervious to all forms of malware.

Unlike its older, and far more popular brother, OS X wasn’t very attractive. People didn’t like it, not because it wasn’t very good, but because it simply wasn’t the cool kid on the block.

Even a constant stream of name changes couldn’t help – after all, who would want to be a cheetah, a tiger or a lion when they could instead be an XP or a 7?

And thus the myth of Apple’s desktop OS being impervious to all the bad stuff was born (why? Either because it wasn’t used enough to be a legitimate target or it was supposedly vastly superior, take your pick).


As time went by..

The cool kids flocked to the other side of the playground, tempted by shiny iPods, iPads and a sexy young minx called Retina.

And you know what? The bad guys took notice and took it upon themselves to cause as much mischief and mayhem among this new crowd as they possibly could.


And so a recent study by CVE Details conjures up a picture of insecurity once totally unimaginable – Mac OS X is now top of the pile for Common Vulnerabilities and Exposures – a fact that hasn’t gone unnoticed by headline creators who one might describe as being anything but Apple fanbois.

But… even though OS X racked up a total of 384 CVE advisories in the year just passed, versus a rather more modest 314 for Flash and a mere 147 for former poster-boy Windows 7, the story is not quite complete.

That’s because CVE Details lists total vulnerabilities without a care for how severe or otherwise they may have been.

If I asked you if you would trade 2 of your OS X vulnerabilities for 1 of my Flash CVEs… I think you get where I’m going with this.

Also, many of the vulnerabilities are cross-platform, meaning multiple patches from numerous vendors for the same issue – should that attract a ‘high’ ranking?

Lastly, the figures are compiled, quite obviously, from reported vulnerabilities. While there’s no way of knowing for sure, who would bet on there being more OS X vulnerabilities being kept under wraps by potential attackers than Windows bugs? I know I wouldn’t.

So, even though Mac OS X appears to be “the most vulnerable operating system” it almost certainly isn’t.

Apple may have lost the benefits of ‘security through obscurity’ that came when its products were less popular than they are now but its still the bigger brother that gets the bulk of the attention.

Hackers go were the fruit hangs low and, while the Apple is certainly more tempting than it was before, its still high enough up the tree to avoid the majority of bad guys who don’t fancy the bother of coming equipped with a ladder.


Things do change and there are no assurances that OS X will never succumb to a nasty piece of code that could ruin your life or trash your business, so stay alert and stay secure, and don’t fall into the OS flame war hype that often clouds the MS vs. Apple debate.

Ooh Nurse! UK Government Shuts Down Windows XP Life Support

In a not entirely unexpected move the UK government has finally euthanised the aging operating system that senior officials lovingly referred to as “Uncle XP”.

Years after less sentimental families would have packed the old boy off to a nursing home, Whitehall finally decided the lovable chap had become more trouble than he was worth and was costing a fortune to look after.

Instead of packing him off to the country and a nice bit of end of life care, they instead decided the only proper course of action was to send him off with a bit of dignitas.

Alas, not everyone in the extended family was overjoyed.

Despite being aware that the end was coming (he did last a good year longer than originally expected), some of the less popular members of the family still had a lot of affection for him.

Take nurses for example. The Guardian suggests that the NHS is Scotland still has around 2,600 computers running Windows XP.

Many tissues required there methinks.

Elsewhere, other branches of the Windows family are not quite so disappointed to see his passing – after all, £5.5m a year is a lot of money to hand over to the Microsoft clan when they are only offering a monthly bed bath and an occasional meal on wheels.

Much better then to say out with the old and in with the new.

And that’s exactly what the Government Digital Service has decided to do as it says hello to a couple of new trendy lodgers known simply as 7 (she’s getting on a bit herself now) and 8.1.

According to the Government Technology blog,

There has been good progress in moving away from Windows XP across departments and government organisations and with many public bodies this transition is complete.

As for those poor old nurses, the government is as caring as ever, saying its confident they’ll be able to handle the risks (dealing with infections is their thing, right?), using the CESG guidance or, failing that, “they may need to review their own short term transition support”.

The same also goes for elements of other agencies including HMRC and the police, both of which will be donning black suits and ties to lament the passing of an old friend, wondering whether they should have had a whip round and kept dear old XP around for just one more year.

Excited By The Extension Of Chrome Support For Windows XP? You Really Shouldn’t Be…

I can just imagine millions of voices crying out in extreme pleasure in response to the news that Google has extended support for Chrome on Windows XP through to the end of the year (it was previously due to end later this month).

The only problem with that, however, is that fact that it implies there are still a large number of users on Microsoft’s now aging operating system (industry experts suggest anywhere between 10 and 20 percent of all machines still use XP).

While Windows XP was pretty darn good back in the day, and a huge improvement on its successor(!), it is, as Monty Python may say, deceased, dead and long since ceased to be.

Alas, many millions of users are still dicing with antiquity on a daily basis, continuing to run the operating system that refuses to pass on, despite the fact that Microsoft stopped supporting the consumer edition in 2009 and the enterprise version back in April 2014.

That lack of ongoing support means anyone continuing to use Windows XP has problems. Unless you run a company of some fair size and have handed over a large stack of cash to Microsoft in return for special treatment – and why would you throw your organisation’s money away thus – you will be up the swanny in terms of getting any kind of protection against new strains of malware and viruses, or any other kind of support.

As Mark Larson, Director of Engineering, Google Chrome, says in a post announcing the extension of support for Chrome:

Computers running Windows XP haven’t received security patches in over a year and are facing a number of critical security vulnerabilities. At the operating system level, computers running XP are inherently in danger of being infected by malware and viruses, making it increasingly difficult for Chrome to provide a secure browsing environment. That’s why we strongly encourage everyone to update to a supported, secure operating system.

Sage advice indeed.

And something you would be well advised to take on board.

As Larson says, not everyone can afford to upgrade to a newer operating system on a regular basis and Chrome wants to keep Windows XP users as safe as possible, but there will come a time when that becomes impossible, given the financial costs of further development for something that should already be defunct.

So, if you are running Microsoft’s old operating system at home, start saving for something newer (it looks like Windows 10 may be relatively cheap or even free for some users), or explore some of the free operating systems, such as Linux, which will keep you far safer from harm.

And, if you are running Windows XP machines in a corporate environment, now is a pretty darn good time to go have a word with whoever controls the purse strings in your firm because such an ancient operating system has no place in a world where malware, data breaches and other threats are far more common than any of us care to think about.

Upcoming ISSA Ireland Special Event

ISSA Ireland are hosting a special event next Wednesday the 10th of June.  The event is being run in conjunction with Microsoft and will focus on the security features of the Windows platforms.  There are some really good talks lined up which will prove to be very useful to those of you charged with securing a Windows environment.  In these days of recession and cut backs you will find out about some of the inherent security features of Windows that you can employ at little or no cost and perhaps save you having to purchase third party tools.

The talks are;

  • Security Improvements in Windows 7 and Windows Server 2008
  • How Microsoft Manages Information Security
  • Microsoft’s Malware Research: Conficker a Case Study

There will also be series of lighting talks given by members on their favourite free security tools for the Windows platform.

The event will kick off at 2 p.m. and finish at 5 p.m.  It will be held in the Academy Buildingat 42 Pearse St.  More details of the location can be found on the Academy‘s website or see the map below.  To register for the event you should go to the ISSA Ireland website.

If you cannot make it to the event, or even if you can, and want more information on how to use the security features of Windows don’t forget that I cover these in detail in my latest book, “Implementing ISO 27001 In a Windows Environment“.  The book is available from either Amazon or the IT Governance Website.

View Larger Map

Microsoft Warn of New Attacks Against MS08-067

Microsoft are again urging PC users to apply the MS08-067 emergency patch issued last October due to an increase in attacks aimed at exploiting that vulnerability.  In particular a new worm Worm:Win32/Conficker.A. has been noted as causing a rise in the number of attacks.
Once a PC is infected the Worm:Win32/Conficker.A. will patch the vulnerability to prevent the PC from being exploited by another worm or attacker and will also reset the system restore point to make it more difficult to recover the infected PC.
More details are available on the Microsoft Malware Protection Center Blog at
If you have not yet applied this patch it is strongly recommended that you do.

Microsoft Release Critical Out-Of-Band Patch

Microsoft tonight released a critical patch, MS08-067, outside their normal patch cycle.  For Microsoft to release a patch outside of their patch cycle indicates that this is a serious issue that we must pay attention to. 

I am obviously not the only one who thinks that as the Internet Storm Center‘s Infocon has turned yellow which means they are “currently tracking a significant new threat. The impact is either unknown or expected to be minor to the infrastructure. However, local impact could be significant. Users are advised to take immediate specific action to contain the impact. Example: ‘MSBlaster’ worm outbreak. “

The vulnerability could allow an attacker without authentication to remotely run arbitary code using a specially crafted RPC request on Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems.  This is similar in nature to how the MSBlaster worm propogated throughout the Internet and this vulnerability could be used in the same way.  Microsoft have reported that they have seen live targetted attacks on some customer systems using this vulnerability. 

It is recommended that you patch your systems ASAP.  However patches, be they from Microsoft or other vendors, brings with them many inherent risks that we need to consider before rolling them out onto production systems.  Will the patch introduce new problems as well as fixing the ones identified? Will it impact on other applications and systems?  If we patch we may have problems, if we don’t we may have a security breach.  Not the easiest of choices for an IT or Infromation Security professional to have to make.
I recommend you look at the following steps to mitigate the problem;

  1. A concise and factual presentation should be made to senior management with the options to address the issue laid out clearly, together with the potential downside to each solution.
  2. Whatever solution is decided upon needs to be agreed to and signed off by senior management.
  3. An incident response team should be set up in order to (a) respond to any side effects from the selected plan of action or (b) in the event your systems are compromised in spite of the steps taken.
  4. Remember as part of the plan to ensure that all your backups have been running successfully and more importantly that you can restore them!
  5. Have key contact details for all relevant personnel in the event of a major problem with your systems, including contacts in third parties such as ISPs, partner companies, extranet contacts etc.
  6. Communicate clearly with the user population explaining why the patch is being deployed and to report any unusual behaviour.
  7. Ensure that all Anti-Virus signatures and software is up to date.
  8. Ensure all Intrusion Detection/Prevention Systems’ signatures are up to date.
  9. Consider how best to update remote PCs and laptops that may not be connected to your corporate network.
  10. Make sure your perimeter firewall is configured properly and that where possible personal firewalls are installed on desktops and more importantly on servers.

I strongly advise, as with all patches, to ensure that you test and are satisfied that the patch does not negatively impact your environment before you deploy it.  It also may be worth keeping on high alert even after deploying the patch as;

  1. Other new vulnerabilities could still be found in this feature of Windows.
  2. Not everyone will patch their systems in a timely fashion as we have seen time and time again and their compromise may impact your organisation.

More details are available from the Microsoft Security Response Center and also from the Internet Storm Center.  It is a pity that we do not have our own CERT here in Ireland to help coordinate a response to this issue and help Irish businesses better protect themselves.

Microsoft Windows XP Service Pack 3 Now Available

Microsoft has released the latest service pack for Windows XP.  Service Pack 3 includes all the updates and hot-fixes released since Service Pack 2 and also a number of new security features. most notably;

“Black Hole” Router Detection, whereby Windows XP will now by default detect routers that silently discarding packets.

Network Access Protection (NAP) which is currently in Windows Vista and Windows Server 2008 and is now also available for Windows XP.  NAP can enable you to enforce compliance on end user computers before they join the network ensuring that items such as anti-virus signatures and patches are up to date.

It will be interesting to see how organisations manage to deploy Service Pack 3 and in particular how many will roll out NAP to better secure their environment.  Given that many organisations are still running Windows XP and that Service Pack 3 will no doubt extend the life of XP in those environments, this may be the jolt in the arm that end point policy enforcement solutions need.   

I also wait to see how third party vendors of NAC solutions react to this development and whether they will decide to compete head on or complement their own solutions with NAP.

Microsoft Windows XP Service Pack 3 is available for download and comes in at 316 MB.  The release notes for the service pack are also available.

Targeted Attacks Using Unpatched Vulnerability in MS Excel

The Microsoft Security Response Centre has just released an advisory alerting us to targetted attacks using an unpatched vulnerability that affects Microsoft Office Excel 2003 Service Pack 2, Microsoft Office Excel Viewer 2003, Microsoft Office Excel 2002, Microsoft Office Excel 2000 and Microsoft Excel 2004 for Mac.

Microsoft Office Excel 2003 Service Pack 3, Microsoft Office Excel 2007 and Microsoft Excel 2008 for Mac are not impacted.  This vulnerability is being actively exploited at the moment in attacks targeting specific organisations.  That is not to say however that a more widespread attack could not happen.

If you cannot upgrade your systems to the non-affected versions it may be prudent to block incoming emails or Internet downloads of Excel into your network until more details emerge and/or Microsoft release a patch.

The advisory also contains a number of suggested workarounds.

Most Popular Posts

Seeing as it is the beginning of a New Year I have reviewed the past year or so of the Security Watch Blog’s existence and thought I would highlight the most popular posts.  I picked these posts based on on a combination of the number of comments on each post, the number of links to a particular post and the number of views to a post.  In no particular order we have;

An Overview of Information Security Standards

List of Security Certifications

Safari Incident Response

Microsoft Security

Information Security – Overhyped?

Call for Breach Disclosure Laws in Ireland

Why use ISO 27001?

Botnets – Digital Weapons of Mass Destruction?

Security & Google Docs

Details of TJX Hack Emerge – Wireless Networks the Weak Point

Free Web Application Security Testing Tool from Microsoft

One of the highlights of the RSA Europe Conference was meeting with a very interesting gentleman who works for Microsoft.  Simon Rose Femerling works with the Microsoft Ace Team.  We had some really interesting conversations about security, including research conducted in the hotel bar at 3 a.m. to try and determine the motivation of the average consumer in buying a computer and whether or not security is one of their criteria.  Needless to say that is one research paper that won’t get published.

One thing that really impressed me about Simon was his dedication and enthusiasm to improve computer security for us all while at the same time understanding the real world challenges facing businesses and system administrators.

Not only does Simon work with his colleagues in Microsoft in helping developers understand that security needs to be built into applications from the beginning, Simon is also heavily involved in the Open Web Application Security Project (OWASP).  Within the OWASP project Simon runs the Pantera Web Assessment Studio Project, which is a web application penetration testing tool.  If you are working in the web application area I strongly recommend you have a look at the Pantera Web Assessment Studio Project.

While chatting over a few beers Simon gave me an insight into the work he and his colleagues are doing.  One of the projects is now available for free from the team’s Blog.  It is their XSSDetect tool which runs as a Visual Studio plug-in to enable developers detect XSS (cross site scripting) attack vulnerabilities within their code.

Given that web application attacks are becoming more and more prevalent, indeed recent research shows that 70% of web attacks are at the application layer, the above tools and the work that Simon and his colleagues are doing are becoming more and more important.

If you are working with .NET I recommend that you download the XSSDetect tool and have a look at it.  It may save you a few embarrassing situations in the future.  If you find any issues with it then feed it back to the Microsoft Ace Team so they can improve the tool.

Over the past few months I have been increasingly impressed by Microsoft‘s improvements in security.  My impressions have not been formed or shaped by the Microsoft marketing machine but based on the people I have met who work for Microsoft.  People like Simon, and those I met while keynote speaker at Microsoft Ireland’s IT Professional Security Training Event, demonstrate to me that Microsoft have people working for them that really care about security.  And of course the way Microsoft release their patches is an example other vendors should be following.  Anyone from Apple or Oracle should take heed. 

So well done Simon, the Microsoft (Application, Consulting and Engineering) ACE Team and the rest of your colleagues.  As is often said “security is not a destination but a journey” but from where I am sitting it looks like Microsoft are well on their way.