Now that pretty much everything is connected to the Internet, the bad guys are continuously finding new weaknesses and flaws in software products. If you want to stay safe and keep the bad guys out, one of the best defenses is to make sure you have automatic software updates turned on; this has become a crucial “best practice” for maintaining your Internet safety.
For most software, automatic software updates are enabled by default, but you should routinely double check to insure they are set to “on”. We highlighted this issue in Aztec’s Seven Cybersecurity Must-Do’s but to underline what software can compromised, here a few recent vulnerabilities that involve some of the most common business software products, many of which you probably use daily.
Yang Yu, a researcher from China, discovered a design flaw in Microsoft Windows that affects all versions of Microsoft’s operating system up to and including Windows 10. This bug allows a hacker to hijack a PC’s network traffic and the user will never know! Microsoft already issued a patch for the so-called “Bad Tunnel” bug and if you haven’t used automatic software updates for Windows in the past week, now would be a good time to do so.
Bad Tunnel is a vulnerability that, as Donald Trump might say, has huuuuge security implications. Not only it can be exploited through many different channels, but it also exists in all Windows versions released during the past 20 years. All a hacker needs to do is get a victim to visit a specific web page or to open an infected Office document and the exploit can also be delivered via a malicious flash drive (casually inserting flash drives into your PC is a risk that we have repeatedly recommended against in our cybersecurity webinars). Once the attack is successfully executed, every network access the victim makes can be monitored or tampered with by the attacker. This is obviously a serious vulnerability and if you haven’t used Windows automatic software updates recently, you are running a serious risk.
An emergency update was released by Adobe Systems in March after a number of vulnerabilities were discovered in their cross-platform plugin that plays animations, videos, and sound files. The company issued a security advisory explaining that there have been a “limited number of targeted attacks” after it was discovered one of the flaws was being actively exploited. Adobe is urging people to install the latest update as quickly as possible whether they’re running Windows, MacOS, or Linux. Adobe has a simple tool that lets you make sure you have the latest version.
This particular group of vulnerabilities was assigned a “critical rating” meaning that if exploited by hackers, malicious code could be executed and your computer taken over, potentially without you being aware of it. Once this happens the hackers could spy on you and steal your data. All it would take for your computer to be compromised would be for you to open s rogue Flash-powered Web page or ad in your browser. Flash has a number of high profile critics and both Google and Mozilla (the developers of the Firefox browser) have announced that they will will no longer allow the plugin to run in their browsers by default but Flash is still very common in business systems. This is another serious vulnerability and unless your using automatic software updates , or, better still, you’ve removed Flash completely, you are rolling the dice on your digital safety.
The WordPress blogging system, one of the world’s most used open source applications, has been a perennial target for hackers, something that won’t change anytime soon. If you’re using WordPress as a content management and publishing system for your company’s website, you should make sure that your WordPress updates are up to date but also that any plug-ins you’re using are also the latest versions. WordPress can do this automatically for both its own code as well as for installed plugins; go check it now! And if you haven’t read the WordPress security white paper, now would be a good time to do so. Enabling automatic updates for WordPress systems is the recommended “best practice” and you should research using one or more of the security plugins that can “harden” your installation (one of our favorites at Azstec is Wordfence).
So, to sum it up:
- Make sure your business applications have automatic software updates turned on
- Insure that your website software such as WordPress is kept up to date with automatic updates (and use security plugins)
- Get rid of unsupported software including any version of Windows older than Windows Vista (Microsoft’s supported applications and end-of-life timelines are detailed on Microsoft’s Windows lifecycle fact sheet)
- Implement a plan to migrate older Windows systems to a supported version (we were surprised by the feedback from our Cybersecurity Webinars how many folks are using unsupported software, particularly obsolete versions of Windows! Get rid of them NOW!)
- Make sure you stay up to date on security issues by stopping by the Azstec Cybersecurity Center (you should also follow the other security blogs that we suggest in our Cybersecurity Workbook).
Finally, if you’re emailing confidential information or storing it on a cloud service there’s no better choice than docNCRYPT™ (though we admit we’re a little biased).
As always, stay safe out there.
David Griffith is CEO of Azstec LLC, the creators of docNCRYPT, the incredibly simple document and email security solution for everyone. If you have any comments or questions, email David at dgriffith [at] azstec.com and follow the Azstec Blog or on Twitter or LinkedIn.