Vulnerability in Internet Explorer Could Allow Remote Code Execution
….An attacker who successfully exploited this vulnerability could gain the same user rights as the local user.
Taken from the Microsoft Security Advisory posted on 23rd November 2009.
We are beginning (IMO) a new era of computing, the once merely discussed computing in the cloud is starting to come into fruition.
For me the “turning point” will begin with Chrome OS and its retail release. success or failure, the idea of trusting the cloud for your computing needs will be one step closer to something which I believe will be commonplace in the home. Why do I think this? Lets look a little earlier in history and consider when the Internet was gathering pace, I remember the concept of “always on” net access was feared as being the harbinger of death and destruction with the idea being an exercise in exploit suicide. Those days are long in the past however as a throwback of that “fear”, out of habit I still switch my computer off after use and unplug my router!
The first quote of this article is in relation to the latest set of patches to be released on “Patch Tuesday” or as I call it “Catching up Tuesday”. Microsoft is allegedly releasing 6 security bulletins on the 8th of December. Lets look at how the latest round of (finally) discovered exploits is described by Zdnet:
Microsoft urged customers to pay special attention to the IE update because of the availability of public exploit code and the fact that attackers could launch malware attacks to take complete control of a Windows machine running a vulnerable browser
So what does this have to do with the subject of Cloud Computing?
One of the arguments that I see when people are stating the case not to move to the cloud is fear over the security of their data. I ask that this article is read on the basis of the home user and not enterprise merely because the diverse needs and sensitivity of data would mean that talking about all permutations within enterprise and their suitability for the cloud would make a never ending article.
If we agree that Microsoft Windows has a majority “chunk” of the market (at the moment 😉 ) and we agree that people have a fear over the security of their data, what on earth does this say about the future of Microsoft Windows? Time and time again exploits are discovered, fixed and then the whole process starts over again. A reader Richard made a remark to me about retracting a comment I made in relation to Microsoft blaming a 3rd party for a Windows exploit and I think that highlights a very important point. Are customers not paying Microsoft money for a system that is secure? Sure, the exploit may have been a product of another party but does Microsoft not have any blame for allowing that exploit in the first place? and even if its proved that there was nothing Microsoft could have done, is that any consolation to the user who has fallen victim to a Windows exploit?
Now if a fear regarding Cloud computing is security of data then surely this is a reason to avoid Windows? Lets remind ourselves of some of the Windows exploits stories for 2009 (keep in mind though this is a very brief and far from complete summary of all the Windows issue this year)
Early in January this year we had reports that one in ten Windows machines were not patched to protect themselves from the worm that was the source of so many articles. If we think of the number of machines worldwide that run Windows, then you are looking at massive number of machines infested. The Register ran an article on that here: http://www.theregister.co.uk/2009/01/19/conficker_worm_feed/
March this year saw a story break regarding a one year old exploit which Microsoft had allegedly done nothing about and we saw headlines of sites such as “Why Microsoft Puts Our Nation At Risk: Year Long Un-mitigated Risk, Now In The Wild” and the same article reported that:
What makes it even worse is that it work on both Windows Server 2008 and Server 2003. The exploit creates a backdoor shell after it steals the SYSTEM token.
This was also said at the time:
This is yet another example of a black-eye that Microsoft could have avoided. To repeat, the company had notice about this issue one year ago and despite evidence of proof-of-concept code, there is not patch for affected Windows users.
Its BSOD time again for Vista users!
9th of September 2009 saw an old friend hit the headlines again. Its time for the Blue Screen of Death! this exploit attacks machines that have the Server Message Block 2.0 protocol enabled and presents users with a BSOD! It allegedly affected Windows 7, however it was reported to NOT affect the retail Vista 7
Windows 7 users – Don’t worry! you’re next!
Vista 7, the only pig outside of the Muppet Show to wear lipstick (IMO) is now getting a little taste of the exploit action. On November 16th Slashdot reported a 0-day Windows 7 exploit affecting Windows Server 2008 r2 and Windows 7.
Microsoft at the time were alleged to have said (as reported in the article):
Microsoft said it may patch the problem, but didn’t spell out a timetable or commit to an out-of-cycle update before the next regularly-scheduled Patch Tuesday of December 8. Instead, the company suggested users block TCP ports 139 and 445 at the firewall
Which for those who enjoy computing as a hobby or professionally makes perfect sense. I wonder what the average user made of that afvice….clear as mud? Which maybe explains why so many exploits where only a workaround is offered are allowed to run rampant. The exploit described at Slashdot allegedly allows a hard crash of a vulnerable system.
You can also read about that exploit here
But wait! Theres more!
If the few highlighted exploits of 2009 were not enough, there was (in June 09) reports of Microsoft taking control of your PC with a bugged forced update! Windows secrets reported:
Many readers have reported seeing updates being installed at shutdown or reboot time without any notification, much less an opportunity to select which updates will or will not be applied
Adrian Kingsley-Hughes of ZDnet allegedly said:
I have been receiving reports of these stealth updates for a while now
which is not as worrying as an observation made at the time:
Perhaps it’s well past time Redmond respects who owns the computers they commandeer and who is in the best position to know when updates can safely be applied!
So it appears you can lose control of your PC to Microsoft as well as a vulnerability in their software. Still think the cloud is any more of a risk than this sad chain of events?
You can read that article here: http://windowssecrets.com/2009/07/02/03-Forced-updates-plague-Windows-users-worldwide
So those were but a few of the issues Windows had this year. There were plenty of others. People say that we shouldn’t trust our data to the cloud (or at least without some promises from the service provider) I ask is your data any safer when running a Windows system?
Chrome OS is due out next year, we are seeing the rise in popularity of services such as Ubuntu One and Dropbox, online apps are coming to the fore with Google Doc’s and Twitter to name a few…how much longer are we to rely on a locally based storage medium?
I don’t believe local storage will disappear over night, there is (IMO) a consumer hunger for “owning” media and good examples of this hunger can be found with the proud owners of TB’s of MP3/OGG files or disks crammed with Xvid/DivX video. Security of data?, sure its secure on your storage device, but how secure is your OS? What about the apps you are running and what promises can Microsoft make that the data stored on your hard disk is any more secure than that stored on the cloud?
Is not the argument to “not trust the cloud” more of an argument to get rid of Windows? – I’ll let you decide.
Questions I think which will be answered very shortly when ChromeOS hits the shelves.
I often see:
Yes, but Windows has more attacks because more people use it! Thats why Linux doesn’t!
A point with maybe a small amount of truth. I’d suggest though, thats of little comfort to a Windows user who has fallen victim to another security hole in their OS.
If security of your data is a reason why you don’t want to consider cloud computing why are you using Windows and what about considering Linux? – Just an idea.
 There were so many Windows issues this year, I have detailed only a very small amount. They are included to make a point. You can find more for yourself with a quick Google.
Goblin – firstname.lastname@example.org