Why fear the cloud? Microsoft patches more Windows exploits.

Vulnerability in Internet Explorer Could Allow Remote Code Execution

….An attacker who successfully exploited this vulnerability could gain the same user rights as the local user.

Taken from the Microsoft Security Advisory posted on 23rd November 2009.

We are beginning (IMO) a new era of computing, the once merely discussed computing in the cloud is starting to come into fruition.

For me the “turning point” will begin with Chrome OS and its retail release.  success or failure, the idea of trusting the cloud for your computing needs will be one step closer to something which I believe will be commonplace in the home.  Why do I think this?  Lets look a little earlier in history and consider when the Internet was gathering pace, I remember the concept of “always on” net access was feared as being the harbinger of death and destruction with the idea being an exercise in exploit suicide.  Those days are long in the past however as a throwback of that “fear”, out of habit I still switch my computer off after use and unplug my router!

The first quote of this article is in relation to the latest set of patches to be released on “Patch Tuesday” or as I call it “Catching up Tuesday”.  Microsoft is allegedly releasing 6 security bulletins on the 8th of December.   Lets look at how the latest round of (finally) discovered exploits is described by Zdnet:

Microsoft urged customers to pay special attention to the IE update because of the availability of public exploit code and the fact that attackers could launch malware attacks to take complete control of a Windows machine running a vulnerable browser

So what does this have to do with the subject of Cloud Computing?

One of the arguments that I see when people are stating the case not to move to the cloud is fear over the security of their data.  I ask that this article is read on the basis of the home user and not enterprise merely because the diverse needs and sensitivity of data would mean that talking about all permutations within enterprise and their suitability for the cloud would make a never ending article.

If we agree that Microsoft Windows has a majority “chunk” of the market (at the moment😉 ) and we agree that people have a fear over the security of their data, what on earth does this say about the future of Microsoft Windows? Time and time again exploits are discovered, fixed and then the whole process starts over again.  A reader Richard made a remark to me about retracting a comment I made in relation to Microsoft blaming a 3rd party for a Windows exploit and I think that highlights a very important point.  Are customers not paying Microsoft money for a system that is secure?  Sure, the exploit may have been a product of another party but does Microsoft not have any blame for allowing that exploit in the first place?  and even if its proved that there was nothing Microsoft could have done, is that any consolation to the user who has fallen victim to a Windows exploit?

Now if a fear regarding Cloud computing is security of data then surely this is a reason to avoid Windows? Lets remind ourselves of some of the Windows exploits stories for 2009 (keep in mind though this is a very brief and far from complete summary of all the Windows issue this year)

Conficker

Early in January this year we had reports that one in ten Windows machines were not patched to protect themselves from the worm that was the source of so many articles.  If we think of the number of machines worldwide that run Windows, then you are looking at massive number of machines infested.  The Register ran an article on that here: http://www.theregister.co.uk/2009/01/19/conficker_worm_feed/

Tolken Kidnapping

March this year saw a story break regarding a one year old exploit which Microsoft had allegedly done nothing about and we saw headlines of sites such as “Why Microsoft Puts Our Nation At Risk: Year Long Un-mitigated Risk, Now In The Wildand the same article reported that:

What makes it even worse is that it work on both Windows Server 2008 and Server 2003.  The exploit creates a backdoor shell after it steals the SYSTEM token.

This was also said at the time:

This is yet another example of a black-eye that Microsoft could have avoided.  To repeat, the company had notice about this issue one year ago and despite evidence of proof-of-concept code, there is not patch for affected Windows users.

Its BSOD time again for Vista users!

9th of September 2009 saw an old friend hit the headlines again.  Its time for the Blue Screen of Death! this exploit attacks machines that have the Server Message Block 2.0 protocol enabled and presents users with a BSOD!  It allegedly affected Windows 7, however it was reported to NOT affect the retail Vista 7

Windows 7 users – Don’t worry! you’re next!

Vista 7, the only pig outside of the Muppet Show to wear lipstick (IMO) is now getting a little taste of the exploit action. On November 16th Slashdot reported a 0-day Windows 7 exploit affecting Windows Server 2008 r2 and Windows 7.

Microsoft at the time were alleged to have said (as reported in the article):

Microsoft said it may patch the problem, but didn’t spell out a timetable or commit to an out-of-cycle update before the next regularly-scheduled Patch Tuesday of December 8. Instead, the company suggested users block TCP ports 139 and 445 at the firewall

Which for those who enjoy computing as a hobby or professionally makes perfect sense.  I wonder what the average user made of that afvice….clear as mud?  Which maybe explains why so many exploits where only a workaround is offered are allowed to run rampant.  The exploit described at Slashdot allegedly allows a hard crash of a vulnerable system.

You can also read about that exploit here

But wait! Theres more!

If the few highlighted exploits of 2009 were not enough[1], there was (in June 09) reports of Microsoft taking control of your PC with a bugged forced update!  Windows secrets reported:

Many readers have reported seeing updates being installed at shutdown or reboot time without any notification, much less an opportunity to select which updates will or will not be applied

Adrian Kingsley-Hughes of ZDnet allegedly said:

I have been receiving reports of these stealth updates for a while now

which is not as worrying as an observation made at the time:

Perhaps it’s well past time Redmond respects who owns the computers they commandeer and who is in the best position to know when updates can safely be applied!

So it appears you can lose control of your PC to Microsoft as well as a vulnerability in their software.  Still think the cloud is any more of a risk than this sad chain of events?

You can read that article here: http://windowssecrets.com/2009/07/02/03-Forced-updates-plague-Windows-users-worldwide

Conclusions

So those were but a few of the issues Windows had this year.  There were plenty of others.  People say that we shouldn’t trust our data to the cloud (or at least without some promises from the service provider) I ask is your data any safer when running a Windows system?

Chrome OS is due out next year, we are seeing the rise in popularity of services such as Ubuntu One and Dropbox, online apps are coming to the fore with Google Doc’s and Twitter to name a few…how much longer are we to rely on a locally based storage medium?

I don’t believe local storage will disappear over night, there is (IMO) a consumer hunger for “owning” media and good examples of this hunger can be found with the proud owners of TB’s of MP3/OGG files or disks crammed with Xvid/DivX video.  Security of data?, sure its secure on your storage device, but how secure is your OS? What about the apps you are running and what promises can Microsoft make that the data stored on your hard disk is any more secure than that stored on the cloud?

Is not the argument to “not trust the cloud” more of an argument to get rid of Windows? – I’ll let you decide.

Questions I think which will be answered very shortly when ChromeOS hits the shelves.

I often see:

Yes, but Windows has more attacks because more people use it! Thats why Linux doesn’t!

A point with maybe a small amount of truth.  I’d suggest though, thats of little comfort to a Windows user who has fallen victim to another security hole in their OS.

If security of your data is a reason why you don’t want to consider cloud computing why are you using Windows and what about considering Linux? – Just an idea.

Notes:

[1] There were so many Windows issues this year, I have detailed only a very small amount.  They are included to make a point.  You can find more for yourself with a quick Google.

Goblin – bytes4free@googlemail.com

7 Comments Add yours

  1. 周周 says:

    Regardless of what OS you are using, “the cloud” is less secure. Suppose you have 2 documents that are “top secret”. One is stored locally on a computer, the other is stored in the cloud.

    To steal the document on the local machine requires access to that specific machine. To get to the document stored in the cloud you can either target the machine that has access to the cloud, or the cloud itself.

    Lastly, even if security on the local end is important to someone, for many people (not including you) the inconvenience of using Linux simply doesn’t outweigh the benefit of more security.

  2. openbytes says:

    If you read the article again I was addressing the home user not enterprise. That being said users only have to look at there own stats….I wonder how many users have data on Google Docs and run Windows….Out of those I wonder how many have had their data stolen or destroyed as a result of Google docs and how many have had an infestation on Windows.

    Thank you for that insight into “hacking” although I’d guess if a document was Top Secret and was a target of a criminal, it would be targetted regardless of being local or cloud.

    “the inconvenience of using Linux ” – Yep an inconvenience Ive been suffering with for many years, and even as I test Windows 7, Ive had more issues and fixes to do with that than any Linux distro.

    I also hate to break it to you, but “Top Secret” (Id rather use the word “sensitive”) information is already trusted to the cloud of sorts albiet with the Police national computer.

    1. 周周 says:

      Yes, I was addressing the home user and didn’t even come close to mentioning enterprise users in my example.

      You can give sensitive information any label you want, but it doesn’t change the fact it’s something you want to keep private. More to the point, I was talking about data often created by users and stored on their own systems, not data collected by the police and stored on their own computer systems.

  3. openbytes says:

    Quote “You can give sensitive information any label you want, but it doesn’t change the fact it’s something you want to keep private. More to the point, I was talking about data often created by users and stored on their own systems, ”

    and thats the whole point of the article. If we can agree that Windows has been the target of sucessful malware that has enabled criminals to get hold of your financial details then it furthers my point that whilst people fear the cloud, those very fears are already being experienced by Windows users now. Its only because it happens to so many people that it seems to be dismissed as an “occupational hazzard”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s