Posts Tagged ‘patching’

applesecurity-100257043-primary.idgeApple released iOS 9 this week. Hurray! But some (most) of you are thinking it might be wise to watch from the sidelines on this and let the bleeding edgers endure the initial onslaught of headaches that we all know can result from a software upgrade of this significance. There’s certainly a case to be made for this more circumspect approach.

However, if you are really concerned with caution, you might want to think again. The reason is that iOS 9 fixes over 100 security vulnerabilities that are lying around inside the bowels of its predecessor. That’s enough bugs to call in an exterminator, which is what iOS 9 could be.

One of the more interesting scenarios involves an exploit that abuses AirDrop to install malware on a mobile device. Here’s a video that demonstrates the attack.

Of course, with new mobile OS’s come the possibility of even newer bugs, but the point is that the cat is out of the bag on the old ones. The bad guys know about them and will be looking to take advantage. The new bugs are yet to be discovered.

That may not be the most comforting thought but look at it this way. If you knew there were copies of the keys to your house be circulated among the cat burglar community, would you want to sit tight and hope none of them figured out where you lived or change the locks? New locks still might be able to be picked but at least you make the job harder for the bad guys.

Advertisements

broccoli-390001_1280You might not like broccoli but it’s good for you. This next bit of news fits in that same category.

Android device manufacturers are going to move to monthly patch cycles according to a report from Computerworld.

Yay? Yes, yay! Sure, it will be a pain to apply software updates with each new moon, especially with so many mobile devices (e.g. phones, tablets, etc.) running the OS, but it really is a good thing.

The reasoning is as follows …

  • all software has bugs (try as we might, this remains true for anything other than simple programs)
  • some percentage of those bugs are security-related (call it the law of averages)
  • therefore, all software needs security patches (the punch line)

Mobile phones don’t get a pass from these inexorable truths just because they fit in your pocket. For what it’s worth, neither to cars which I’ve written about here before as well. In fact, some of the higher end models these days have more lines of code than the Windows operating system so take a guess at how many security holes that translates into…

Apple hasAndroid-Army done a better job in this area because as both the hardware maker and OS supplier, they had 2/3’s of the equation under their control with only the carrier side to coordinate. The Android ecosystem has had 3 players that needed to sync up since the people that made the handsets (e.g. Samsung, LG, etc.) were different from those that supplied the OS (Google) which were different from the carriers (e.g. Verizon, AT&T, Sprint, etc.).

This dragon isn’t slayed yet as the precise details of how the Android army is going to amass against this issue have yet to be fully worked out but it’s a step in the right direction and one that is long overdue.

Spring cleaning

Posted: April 30, 2012 in Uncategorized
Tags: , , ,

Tyler Dukes of the Raleigh News & Observer’s “Stump the Geeks” column  asked me for some recommendations on spring cleaning activities for your computer. Here’s the published article …

Computer need spring cleaning, too

Cleaning and maintenance are rarely fun but they beat the alternative of lost data and downtime so consider yourself forewarned …

IBM’s X-Force researchers have released their 2011 year end Trend and Risk Report and there’s good news and bad news for those of us trying to defend the castle, so to speak. First the good …

  • spam is down compared to last year (although you wouldn’t know if from my inbox),
  • software vendors are doing a better job of patching their products in a more timely manner,
  • and one of the long-standing threats to web server security, cross site scripting vulnerabilities are down (but not out, I might add).

But don’t pop the corks just yet …

  • attacks focused on mobile devices (i.e. smart phones, tablets, etc.) are on the up tick,
  • and so are automated password guessing and phishing attacks.

Also, bear in mind that some of these statistics are cyclical in nature with a down year typically proceeding an increase in the following year.

All in all, though, some great info to have at your disposal and to factor into the way your organization views IT risk.

For more info including access to the free report and an overview video go to http://www-03.ibm.com/security/xforce/.