Windows, Ubuntu, and iOS all have security issues and need to be patched constantly. As one security issue is found, security researchers find another. Every time a new program is written, this introduces new security issues. It’s a vicious cycle. Here we give a brief overview of some recent security issues found with each of those operating systems to demonstrate the importance of patching the OS.
The Wintel 8086 architecture has a couple of basic security flaws that are not easily fixed. Microsoft has done much to mitigate the risk of certain vulnerabilities in its 40 year old basic design, but others problems remain inherent to the system. For example, a process should not be allowed to read the memory of another process. That makes Windows susceptible to buffer overflow attacks. That is where a hacker uses the address beyond the end of a field to add their own instructions.
These instructions do things like look in the computer’s memory for specific .DLLs to load and run. (Microsoft has randomized the address of known .DLLs to make that more difficult.) Some of these .DLLs are older programs that do not have newer security requirement that require that .DLLs be signed before they are executed. If there is no root certificate for the signature, an error is thrown.
Sometime hackers do not need to use a buffer overflow strategy to load a .DLL. They can let the user do that for them. That is what happens when a browser loads an ActiveX Control like Adobe Shockwave.
ActiveX controls are loaded in the browser by using the OBJECT and CLASSID HTML tags. For example, here is how you instantiate Adobe Shockwave and direct it to play the video at a specific URL:
codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=9,0,28,0" width="320" height="285" title="Flash tester">
<param name="movie" value="flash-test.swf"/>
<param name="quality" value="high"/>
Security blogger Brian Krebs wrote a headline that leaves no doubt about what he thinks about Adobe Shockwave: Why You Should Ditch Adobe Shockwave. He says webmasters should quit using it because of security issues and points out that 80% already have. In that post he references a security expert that says because of this issue with Adobe Shockwave, “an attacker may be able to execute arbitrary code with the privileges of the user.” Yes, that’s the problem and the whole point of hacking: to execute instructions without the user’s permission or knowledge.
Just because it’s open source, does not mean that Linux is free of security errors. Ubuntu security notices are well documented. This security notice references Samba, which is a tool to allow sharing drives between Linux and Windows:
USN-2508-1: Samba vulnerability - 23rd February 2015
Richard van Eeden discovered that the Samba smbd file services incorrectly handled memory. A remote attacker could use this issue to possibly execute arbitrary code with root privileges.
There is the whole “execute arbitrary code” problem mentioned again. Worse it is with root privileges. Had a hacker discovered this before a security researcher, they would have used it and probably sold it online as well, maybe for many thousands of dollars.
Contrary to popular perception, Mac is not without security problems. For example, Google’s security researchers found this problem with the Bluetooth drive on Yosemite:
CVE-2014-8836 : Ian Beer of Google Project Zero
Available for: OS X Yosemite v10.10 and v10.10.1
Description: An error existed in the Bluetooth driver that allowed a malicious application to control the size of a write to kernel memory. The issue was addressed through additional input validation.
What you can do to protect yourself varies depending on how much resources you can dedicate to that task. First, it’s crucial to stay on top of patching; patch all operating systems and applications. The plethora of patches being released by various vendors can be quite overwhelming, but organizations need concise patch management practices nevertheless. Continuous security audits, layered network security, and best practice education for all employees are also essential.
If you are a medium sized business with a small IT department then you might be able to assign one person to keep abreast of security issues by reading security bulletins and the various security bloggers. If you have a cloud vendor running your machines they will take some of the burden of that. The best defence is still continuous security audits, layered network security, and best practice education for all employees.
Sign-up for email updates...