The Hash is on the road this week, but while yours truly is flying the friendly skies, the following round-up will keep you in the loop on current events and interesting research. Today's cache includes a unique attack on Microsoft Outlook, using XSS to launch DoS attacks, and a note on the end of Windows XP.
It's time to say goodbye to Windows XP
By the time you read this, there will be less than 24-hours until the end of Windows XP. For home users, where the real problem exists, the panic point will be the lack of security updates. Yet, actually updating the software on systems used in the home has always been a problem, so this isn't a world stopping event for them.
For the office, Windows XP will live on. Even today, I know of organizations that are still using Windows 2000 and NT4, so the fact that XP will remain isn't a shock. There are legacy systems and applications in use that simply cannot be upgraded or altered.
Examples of this can be seen in the healthcare, transportation, and manufacturing industries. Thus, if the system works, don't change it. It's a painful policy, but one that many of us in IT have to live with year after year.
In a blog post, Qualys' CTO, Wolfgang Kandek, commented:
"Many industrial control systems and medical devices, configurations that typically have much longer useful life spans (>10 years) than pure computer equipment (<4 years), have Windows XP systems as vital components in their setups that cannot simply be updated.
"Nevertheless, these systems are full XP and as attackable as your average office machine if they are used in similar fashion, for email and web browsing. Moving [them] into network segments that do not have direct Internet access and introducing additional firewalls that curb that type of usage are ways to improve security."
Microsoft is offering extended support for XP, with prices starting at $100,000 per year. Banks (if their ATMs run XP) will likely opt-in for this until they can phase the operating system out. But for the most part, XP usage is down.
Data collected from Qualys' BrowserCheck shows the percentage of XP dropping from 35 percent in January 2013 to just 14 percent this past February. Qualys expects this number to drop to 10 percent by the end of this month.
Using XSS for DoS attacks [The Hacker Blog]
Matthew Bryant (also known as Mandatory) has outlined additional methods of using XSS flaws on a website to initiate DoS attacks. His research is an extension of data released by Incapsula last week, after they discovered a video website with XSS flaws being used to trigger a DDoS attack.
Sign up for CIO Asia eNewsletters.