Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.
Big items to consider: A Google researcher discovered critical flaw in TrendMicro that allows hackers to view all contents of a password manager program. Forbes has recently instituted a policy that visitors must turn off ad blocking software before they can view content, but that new policy left website visitors wide open to malware attacks. A survey commissioned by ISACA revealed that 83% of security professionals believe that there will be another critical infrastructure attack that will happen this year. Lastly, Windows announced today that it will no longer support older versions of internet explorer, which leaves unaware users wide open for new viruses and attacks.
Antivirus provider TrendMicro has released an emergency product update that fixes critical defects that allow attackers to execute malicious code and to view contents of a password manager built in to the malware protection program. The release came after a Google security researcher publicly castigated a TrendMicro official for the threat. Details of the flaws became public last week after Tavis Ormandy, a researcher with Google’s Project Zero vulnerability research team, published a scathing critique disclosing the shortcomings. While the code execution vulnerabilities were contained in the password manager included with the antivirus package, they could be maliciously exploited even if end users never make use of the password feature.
A security researcher found malicious ads on Forbes after following the site’s policy that insists readers disable ad-blocking software. Forbes has taken an aggressive line against ad blockers. When it detects one running on your system, it denies you access to the content until you turn off the ad blocker. Needless to say, this hasn’t gone over very well with some people. Forbes included a prominent security research in an article called “The Forbes 30 Under 30,” which drew a number of other security researchers to check out the article. After disabling Adblock Plus, they were immediately served with pop-under malware.
On the heels of the cyberattack that caused a blackout in the Ukraine, the lion’s share of cybersecurity professionals think a successful cyberattack on critical infrastructure is likely to happen in 2016 — 37.56 percent high, 45.55 percent medium likelihood — according to ISACA’s latest Cybersecurity Snapshot report. (The survey was conducted Dec. 21 through Jan. 2, so it was open for a small window before the breach Dec. 23.) ISACA surveyed about 2,900 cybersecurity professionals, mostly in the United States, about their opinions on a wide variety of pressing issues, from hiring to legislation
With the end of support for Windows XP in April 2014, Internet Explorer versions 6 and 7 finally fell off the official support lifecycle. But that still leaves four versions of Internet Explorer in widespread use. Effective today, Microsoft officially ends support for all but the latest version of Internet Explorer. This certainly shouldn’t come as a surprise; the company gave nearly 18 months of warning, starting in August 2014.