This was Microsoft’s Patch Tuesday week, and there were a significant number of patches this month. According to eWeek, 33 vulnerabilities were addressed including fixes for a code execution vulnerability in SSL. SSL has taken a beating in 2014 with vulnerabilities like Heartbleed, but this particular issue appears to have been caught before any serious problems occurred.
However, after the usual stream of Patch Tuesday messages came in and my computer downloaded the updates as scheduled, I got a message about yet another Microsoft vulnerability. This one has been around for 19 years and affects every version of Microsoft Windows starting with Windows 95. As PC World explained about the strange issue:
The bug . . . would have allowed an attacker to run code remotely when the user visits a malicious website. IBM researcher Robert Freeman described the vulnerability as ‘rare, “unicorn-like” bug found in code that IE relies on but doesn’t necessarily belong to.’
As Chris Messer, vice president of technology at Coretelligent, told me in an email, everyone who uses Windows is affected by this vulnerability, but Messer sees those most at risk to be the home computer users who aren’t as savvy or diligent about security as an office would be. Of course, if a home user accesses a company network with his or her personal computer, that could create a risk to the company.
Messer also answers a question that I had, not just about this particular vulnerability, but of a growing number of newly announced vulnerabilities that have taken so long to be discovered. Why does it take so long to find these holes in the software? He explained it this way:
It’s a herculean task to review all code for these types of bugs – especially retroactively. Software development is becoming increasingly complex, as is the legacy code-base for many products like Microsoft Windows and Office, for example. Independent security researchers and antivirus maker labs provide a critical function in helping to proactively identify these types of bugs – hopefully before a hacker or other unsavory technical character does – and allow the software vendor to patch them.
Now that we know there’s a problem, what can be done to fix it? Patching is the first step, and of course, Microsoft has supplied a patch for this vulnerability. The second step is to make sure that each affected computer is equipped with current security software in order to catch any malware that might try to sneak through. And then, Messer added:
Organizations need to be more cognizant of Web-based threats, and understand that just deploying basic antivirus may not be enough to protect end-user machines from browser-based vulnerabilities such as this one. If organizations aren’t performing perimeter-based Web filtering, or are deploying a full endpoint security suite on end-user machines designed to help mitigate these types of threats, then they’ll remain highly vulnerable to Web-based threats that can easily infiltrate end-user machines via Web browsers.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba