8.7 C
Wednesday, September 20, 2017

Security Think Tank: Lock up personal information in 2014, says ISSA-UK

I do know what criminal lists my details have ended up on, writes Tim Holman, but even I get regular phishing emails claiming my mobile phone bill is spiralling out of control (please open this zip file), that companies house is going to strike 2-sec off the companies register (please open this zip file) and – it being Christmas – expensive gifts have been delayed by UK customs (please open this zip file).   Internet service and email providers are too slow to take this stuff off the wire and it inevitably ends up in my inbox.   While I might know that malware can be easily encoded into a multitude of different compression formats that anti-virus systems simply do not detect, your average user simply will not know this. Given the elaborate, thought-out, well-spelt (they are all in good English) and targeted attacks we have seen in 2013, it looks like 2014 will be bringing more misery to users that simply are not aware that their computers can be completely taken over and used for nefarious purposes.  Unfortunately the spate of big data breaches we have seen over the past years have furnished cyber criminals with the one thing we do not want them to have - personal information.  In the wrong hands, this information IS being used to carry out targeted attacks, and they are not going to stop. Tim Holman is president of ISSA-UK and CEO at 2-sec. Read more on security priorities for 2014 Security Think Tank: ISF’s top security threats for 2014 Security Think Tank: KuppingerCole’s security predictions for 2014 Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com This was first published in December 2013

Thirteen plead guilty to Anonymous DDoS attack on Paypal

Thirteen people pleaded guilty to taking part in distributed-denial-of-service (DDoS) attacks on eBay’s Paypal organised by the Anonymous hacktivist group in support of Wikileaks. The defendants admitted taking part in Operation Payback in December 2010 that targeted payment firms such as Paypal, Mastercard and Visa after they stopped processing donations to Wikileaks. At least four UK youths were arrested on charges relating to the attacks on Paypal. By pleading guilty, the defendants face relatively minor misdemeanour charges, as long as they stay out of trouble, according to the BBC. Lawyers for the defendants argued they were taking part in protests that should be protected by the US Constitution, which guarantees free speech. But, the US Department of Justice accused them of intentionally damaging a protected computer. The DDoS attacks – made using a free tool downloaded from the internet called Low Orbit Ion Canon (LOIC) – were reported to have cost Paypal around £3.5m. More than 100 workers from Paypal's parent company, eBay, spent three weeks working on issues related to the attacks. PayPal also had to pay for more software and hardware to defend against similar attacks in the future. Anonymous's Operation Payback originally targeted companies involved in the music industry and opponents of internet piracy. But the hacker collective broadened the campaign to include attacks in revenge for Wikileaks, following a backlash in the wake of the site publishing thousands of US diplomatic cables. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com

Security Think Tank: KuppingerCole’s security predictions for 2014

After the proliferation of Stuxnet, Duqu in 2012 and other Scada-focused attacks in 2013, industrial control system security will become an important topic in 2014, writes Robert Newby . Large-scale processes involving multiple sites over long distances will be increasingly subject to advanced persistent attack. As the adoption of cloud technologies increases exponentially in 2014, customers will find a greater requirement for encryption and key management technology.

As this increases in scope, businesses will find there are limitations in the reach of current technologies, and will look for ways to extend this to their clients at greater scale, without losing control of their security environments. The traditional corporate perimeter will disappear as this adoption increases, enabling a more dispersed workforce and client-base, but new perimeters will appear around information in different silos, requiring more classification and asset tagging. We will see the rise of technologies before the end of 2014 that focus on tagging data to protect itself, or creating virtual environments/perimeters that data cannot move outside.

The issue will be how to keep this data protected, once it leaves the corporate-controlled environment. Big data will continue to create its own security solutions and issues.

As more big data systems are created to process data at scale, the metadata being produced will acquire greater value than the original data store.

This data will need to be protected at source. 2014 will see security systems which rely on processing logs on global scales, implemented similarly to the key management technologies above.

This will create further concerns about where this processed data is being stored and who has visibility. Robert Newby is an analyst and managing partner at KuppingerCole UK. Read more on security priorities for 2014 Security Think Tank: ISF’s top security threats for 2014 Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com This was first published in December 2013

Ransomware looks set to increase, warns Sophos

Cyber criminals are planning to produce new forms of ransomwareon an unprecedented scale, according to IT security firm Sophos. Ransomware is a type of Trojan malware used by criminals to block access to target computers so they can demand payment for restoring access. In recent weeks the UK’s National Crime Agency’s National Computer Crime Unit has warned small and medium enterprises about the Cryptolocker ransomware that encrypts file on targeted machines. The US computer emergency response team (US-Cert) has issued a similar warning to US computer users about emails that appear to come from financial institutions, but install Cryptolocker. The malware is designed to encrypt files on the infected computer and any network it is attached to and then demand the payment of around £500 in Bitcoins to unlock the files. Now Sophos has warned there are discussions on underground forums about ways to produce a kit to make it easier for criminals to create their own versions of ransomware. Malware kits have been responsible in large part for recent spikes in new malware as they lower the technical barriers to entry for would-be cyber criminals and often provide technical support. According to the security firm’s annual report into cyber crime and emerging threats, ransomware could become the market leader in malicious code. James Lyne, co-author of the report and global head of security research at Sophos, said there is evidence that cyber criminals are keen to cash in on the success of ransomware such as Cryptolocker. Security firm BitDefender found that in the week starting 27 October 2013, more than 12,000 computers in the US were infected with the Cryptolocker malware A separate attempt to shut down the network supporting Cryptolocker found almost 150 separate systems gathering responses from infected machines, according to the BBC. The sophisticated networking capability within the ransomware means even if some criminal servers are shut down by law enforcement, the malicious network can recover quickly. Law enforcement agencies have advised organisations against paying the ransoms demanded in untraceable bitcoin virtual currency because none of those who have paid up have recovered their data. This approach means cyber criminals are able to cash out immediately without having to set up complex ways of monetising stolen data or laundering cash stolen from credit cards and bank accounts. The Nation Cyber Crime Unit (NCCU) has advised anyone who is infected with this malware to report it through ActionFraud, the UK’s national fraud and internet crime-reporting centre. The NCCU said prevention is better than cure and that UK businesses and consumers should: Not click on any such attachment Update antivirus software and operating systems Backup files routinely to a location off the network Disconnect any infected computers from the network Seek professional help to clean infected computers Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com

What’s new in ISO 27001: 2103 for storage and backup?

Since 2005, ISO 27001 has provided a framework for the secure retention of data with a six-part process based around generating policies, identifying risks and developing control objectives.  But this year the standard was updated, with ISO 27001: 2013 recognising changes in security threat vectors and changes to how we interact with devices, such as the onset of bring your own device (BYOD) as a mainstream phenomenon. Overall, the emphasis for ISO 27001 compliance has shifted to one focused on risk and mapping risk with regard to your IT assets.

Also, in practical terms the structure of the standard has been altered. In this podcast, Computer Weekly storage editor Antony Adshead talks with Vigitrust CEO Mathieu Gorge about the key changes in ISO 27001 and the implications for storage and backup. Antony Adshead: What is ISO27001: 2013 and how does it differ from previous iterations? Mathieu Gorge: ISO27001 and the 27000 series altogether is a suite is a suite of standards that allow people to manage information security to ensure that any type of sensitive information is protected from a confidentiality, integrity and availability perspective. ISO has its origins in terms of security in British Standard 7799, which was then adopted by ISO as ISO 17799.

And then in 2005, the latest series of ISO 27000 series of standards was produced. It is important to note that while a lot of people only talk about 27001, there are a number of standards in the ISO 27000 series. ISO 27001 is really the management structure for managing information security. ISO 27002 is a suite of suggested controls and how to implement controls. ISO 27005 is about risk management.

And there are other standards within the suite. In 2013, ISO 27001: 2013 was enacted, and I think it’s important to understand the changes between the 2005 version and the 2013 version.

The key drivers for the change, I suppose, came from the fact the attack vectors have changed, the way we use computing has changed, with the advent of cloud computing and big data and the implications this has for data security and data storage. The key drivers for the changes in ISO 27001: 2013 came from the fact the attack vectors have changed and the way we use computing has changed Mathieu Gorge, Vigitrust In terms of the major changes, there is a lot more focus on leadership and how you manage the information security management system.

There’s more focus on commitment, performance evaluation, which really is all about continuous compliance.

And you find it in other standards in the industry, such as PCI-DSS version 3.0 which came out this year talking about making security business-as-usual, and this is the same idea. There are also changes around managing risk and managing assets; for example, in changes in terminology in ISO 27001: 2013, an asset owner in the 2005 version is now the risk owner, so we’re looking at risk. It’s also important to understand the changes in structure. ISO used to have 15 sections; it now has 18 sections.

The first four sections remain sections that deal with the actual infrastructure or structure of the standard and how you manage the documentation set that you produce and the associated controls. So, in the 2005 version you had all the controls in annexe A – 15 sections with 133 controls and 39 controls objective.

In the 2013 version we have moved to 18 sections instead of 15, but with fewer controls – 114 – and only 35 control objectives.

The overall size of the document has gone down from 34 pages to 23 pages. So, there’s going to be the issue of mapping the old version to the new version.

There are already some good mappings in the public domain. Some of them have been published by BSI and they clearly map sections 5 to 15 in 2005 to sections 5 to 18 in 2013. There’s also a transition period and some advice on how to prepare for the transition, bearing in mind that some controls have been updated, some have been deleted, some requirements have been deleted, but all of it is mapped. If you use those mappings you’ll be able to protect your data, especially with regards to confidential data and data in storage. Adshead: What implications for data storage and backup result from the changes in ISO 27001: 2013? Mathieu Gorge: The new version, not unlike the previous version, puts emphasis on mapping risk and mapping assets.

The assets, obviously, would be any type of systems or processes that you use, but also any type of data you have to protect. So, it’s all about performing a risk management process/discovery process that allows you to map where the data is, where it’s going and where it might actually be stored. What’s interesting is that ISO 27001: 2013 continues to use the four-tier structures of ISO, which essentially starts with a policy setting up high-level objectives, procedures setting up guidance about how to achieve the objectives, work instructions that are essentially user manuals for the assets that you use to manage the information and the security of that information, and finally reference documents that allow you to trace the lifecycle of the document and mostly to trace any kind of change management. So, you find in the new version that it’s especially interesting with regard to data storage because there are a lot of hints about how to comply in a cloud computing environment, whether infrastructure as a service, software as a service or platform as a service, and there are also references to big data with regard to the fact you end up with a mix of structured and unstructured data, some of which you need to keep from a compliance perspective and some of which you need to protect from a security perspective. ISO 27014 is in draft at the moment and it’s [being framed] around information technology and security techniques for storage security Mathieu Gorge, Vigitrust The major change we are looking to see in the industry is really a version of ISO for storage security.

The good news is that ISO 27014 is in draft at the moment and it’s [being framed] around information technology and security techniques for storage security. The purpose of that version of the ISO 27000 standard is to draw attention to common information security risks that might be associated with protecting the integrity, confidentiality and availability of the information on various data storage technologies. So, it looks at best practice with regards to storage security design principles; data reliability, availability and resilience on storage systems; data retention, data confidentiality and integrity for the systems; and looking into virtualisation and virtualisation security, then applying this to traditional storage networking, storage management, the NAS, the SAN, file-based storage and cloud-based storage. A draft version is likely to be approved at some stage in 2014. It was expected in 2013, but that version that really deals with storage security will be integrated into the 27000 suite and so therefore the advice is to familiarise yourself now with the structure of ISO 27000 and be ready to be provided with some good controls to implement, to manage your storage security at some stage in 2014, with that latest version of ISO on storage security. Read More Related content from ComputerWeekly.com This was first published in December 2013

Google eyes password-free authentication in Chrome OS

If a Chromebook is near trusted hardware like a phone or watch, an app could wake up the machine. Easier screen unlocking could encourage people to lock them in the first place. December 10, 2013 11:12 PM PST Google developers are proposing tec...

UK prepares to launch internet archive without internet access

The UK is preparing to launch its official internet archive without internet access, after the publishing industry put restrictions on its release. The archive was held up by a decade of negotiations between publishers and the British Library, meaning that regulations permitting the library to perform its first archive copy of every UK website were not passed until April this year, more than 20 years since the World Wide Web took off and 12 years since Parliament passed a law making it possible. In the intervening decade, copyright lawyers at the World Intellectual Property Organisation (Wipo) took the lead over international internet archive policy from the United Nations Educational, Scientific and Cultural Organisation (Unesco), while publishers began turning old content on the World Wide Web into a cashable resource. The British Library gave the first demonstration of the UK internet archive to publishers last week, to demonstrate how it would meet their restrictions that the only people who could see it were those privileged few people eligible for readers' passes at one of the UK's six major academic libraries – and only then one at a time, in person, at a terminal in the library. Governments and publishers are meanwhile preparing to draft an international agreement on library archives at Wipo in Geneva next week, where the UK has asked for the question of access to be relegated. A spokesman for the British Library said access had been one of the key issues in negotiations with publishers. But terms of the decade-long talks were already set by a 2003 Act of Parliament that forbade the UK internet archive from being available on the internet. Speaking after the revelations in Computer Weekly that the Conservative Party, lead partner in the UK coalition government, had taken steps to retrospectively erase records of its pre-election pledges that the internet would make people in power more accountable to ordinary people, the spokesman said publishers had insisted the web archive should be treated in exactly the same way that printed paper archives had been treated for generations. "The public interest is served by the fact that there's now going to be a full record of the intellectual and cultural output of the nation, preserved in perpetuity, which it was not before," he said. Angela Mills Wade, who helped formulate the 2013 regulations as executive director of the European Publishers Council, said it was not necessarily in the public interest that the internet archive should be made generally available. "It's not a public archive. It's an archive for preservation and for research," she said. Adrienne Muir, an expert in digital preservation at Loughborough University who spent a term on the Legal Deposit Advisory Panel – a body that played a major part in formulating the regulations – said restricted access was the best compromise that could be reached with publishers. "Publishers didn't want the libraries to act as competition by providing unrestricted access," she said. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com

“Revenge porn” operator arrested, charged with ID theft

Site's owner told the cops: "I know... people are getting screwed over."    

Mozilla Patches Firefox 26 With 14 Security Advisories

The new open-source browser release gets five critical security updates and finally delivers click-to-play functionality for some plug-ins, with more to come in the weeks ahead. Mozilla is out today with its latest milestone Firefox release, this time providing security fixes as well as new functionality in the open-source Web browser. The Firefox 26 release first entered beta in early November. From a security feature perspective, the big change that Firefox 26 introduces is the concept of "click-to-play" plug-ins. Prior to Firefox 26, plug-ins such as Java would just load inside the browser whenever required by a given Website, and without the need for any specific user interaction. With Firefox 26, Mozilla has now restricted the ability of Java plug-ins to auto-load and automatically run.

Other competitive Web browsers, including Apple's Safari 7, already enable the same type of functionality. One of the primary differences between Firefox 26's click-to-play implementation and Safari 7's is that Firefox currently does not block Flash media content with click-to-play.

The risk from automatically enabled plug-ins is that a user could potentially be directed to a malicious Website where a plug-in is used to automatically deliver some form of malware payload. The plan is to expand the click-to-play effort in future releases of Firefox. "The latest release of Firefox will continue to enable all plug-ins—except Java—by default while the click-to-play feature goes through additional testing in beta," Chad Weiner, product manager for Firefox, told eWEEK. "In the coming weeks, we will announce details of a plug-in whitelist policy that will provide a path to exempting certain plug-ins and Websites from our click-to-play policy." From a security patch perspective, Mozilla has attached 14 security advisories to the Firefox 26 release, with five marked as critical. Three of the critical advisories deal with use-after-free memory errors. Use-after-free memory vulnerabilities occur when unused authorized memory remains accessible to other programs, enabling attackers to potentially execute arbitrary code. Two of the three use-after-free memory vulnerabilities were reported to Mozilla by security researchers working with the BlackBerry Security Automated Analysis Team. Mozilla first began partnering with BlackBerry for security in July. The BlackBerry research team used Address Sanitizer—a widely used open-source tool for discovering memory flaws that was originally built by Google—to find the flaws. Mozilla also credited the BlackBerry security researchers with discovering another critical flaw by using the Address Sanitizer tool. "Security researchers Tyson Smith and Jesse Schwartzentruber of the BlackBerry Security Automated Analysis Team used the Address Sanitizer tool while fuzzing to discover a mechanism where inserting an ordered list into a document through script could lead to a potentially exploitable crash that can be triggered by web content," Mozilla's advisory explains. Firefox 26 also includes an update rated as having high impact for a JPG image file information leak vulnerability. Mozilla Security Advisory 2013-16 credits Google security researcher Michal Zalewski with the discovery of the flaw.

According to Mozilla, the flaw "could allow for the possible reading of arbitrary memory content as well as cross-domain image theft." In addition, Mozilla credited Google with reporting a Secure Sockets Layer (SSL) certificate-related flaw.

The issue, which Google reported to Mozilla on Dec. 4, involves an SSL certificate that had been erroneously issued that should no longer be trusted. "This certificate was issued by Agence nationale de la sécurité des systèmes d'information (ANSSI), an agency of the French government and a certificate authority in Mozilla's root program," Mozilla's advisory states. "A subordinate certificate authority of ANSSI mis-issued an intermediate certificate that they installed on a network monitoring device, which enabled the device to act as a MITM proxy performing traffic management of domain names or IP addresses that the certificate holder did not own or control." Firefox 26 isn't just about security; it also improves performance by way of at least one interesting bug fix. Mozilla bug #847223, titled "Don't decode images that aren't visible when we download them," is a bug that Gavin Sharp, lead Firefox engineer at Mozilla, sees as a great example of the benefits of Mozilla's continuous investment in memory-use improvements (project code name: MemShrink). "Firefox is best-in-class on memory use, thanks to fixes like that one," Sharp told eWEEK. "It results in a big reduction of peak memory usage on image-heavy pages like Flickr or other image galleries, and reducing memory use has all sorts of positive additional effects like increased stability, responsiveness and performance." Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist. ${QSComments.incrementNestedCommentsCounter()} {{if QSComments.checkCommentsDepth()}} {{if _childComments}}

Microsoft’s Expanded Account Security Options Keep Users in the Know

Following the introduction of two-factor authentication, Microsoft now offers its Web and cloud-services account holders more security management options. Microsoft accounts will be tougher to hack, courtesy of new security features that the software giant is currently rolling out. On Dec. 9, Eric Doerr, group program manager of Microsoft Account, announced the arrival of new capabilities "that give you more visibility and control of your Microsoft account." The move follows the earlier "release of two-step verification to the more than 700 million people around the world who use a Microsoft account," he said in a statement. Two-step verification systems strengthen password access systems with a secondary means of authentication, typically provided by an authenticator app or Short Message Service (SMS) communication, for example. Since hackers are unlikely to be in possession of both an account holder's password and smartphone, log-in attempts fail. According to Doerr, many Microsoft account holders have embraced the security-enhancing feature. "In the eight months since we released this feature, we've seen impressive adoption," reported Doerr.

And the numbers are growing. "Every day, thousands more users enable this extra protection for their account," he added. Now Microsoft is offering new ways to keep an eye on user accounts, which can be used to access a wide variety of online services, including Outlook.com, Xbox Live and SkyDrive. A new Recent Activity view allows users to monitor their own accounts by providing a list of sign-ins and other account-related activities, complete with location information. "You know best what's been happening with your account—so the more we give you tools to understand what's happening, the better we can work together to protect your account," said Doerr. Recent Activity also displays what type of device accessed (or attempted to access) an account and shows its whereabouts at the time on a Bing map. If suspicious activity is spotted, users can click the "This wasn't me" button to initiate steps to protect their accounts and help Microsoft tune its security mechanisms. Should circumstances prevent legitimate users from logging into their accounts, new recovery code capabilities make it easier to gain access. Recovery codes act as "a spare key to your house," said Doerr, before warning users to "store it in a safe place." Only one recovery code can remain active at a given time.

A new request for a code invalidates the previous one. Finally, Microsoft has enabled more security notification options. Users can now opt to send security notifications to select email addresses and/or phones. "Again, this is all about giving you greater visibility and control of your account so that we can work together to help keep your information safe," stated Doerr. Microsoft joins other major cloud services providers in helping its users combat account hijacking. Google first added two-factor authentication for paid Google Apps accounts in 2010 and has since made the feature available to all users. Cloud-storage provider Dropbox added two-step authentication in the wake of some high-profile security breaches last year.

Microsoft Patches Two-Dozen Flaws in Final Patch Tuesday of 2013

December's Patch Tuesday fixes a critical flaw that was left out of the November update and leaves yet another flaw unpatched that is still being exploited. Microsoft came out with its December Patch Tuesday update, which delivers fixes for 24 flaws spread across 11 advisories, six of which are identified as being critical. At the top of Microsoft's patch list is a TIFF image flaw that was not fully patched in the November Patch Tuesday update, even though it was known and being exploited.

The MS13-096 advisory in the December update explains that "a remote code execution vulnerability exists in the way that affected Windows components and other affected software handle specially crafted TIFF files." Microsoft warns that the TIFF flaw, if exploited, could have potentially enabled an attacker to take control of a user's PC. The vulnerability could allow remote code execution if a user views TIFF files in shared content.

An attacker who successfully exploited this vulnerability could take complete control of an affected system. Though it has taken Microsoft a month to patch the TIFF issue, researchers at security firm Tripwire aren't concerned. Tyler Reguly, security research and development manager at Tripwire, told eWEEK he was surprised by Microsoft's speediness in patching the TIFF vulnerability. "I think that Microsoft responded to this threat in a reasonable timeframe considering the complexity of the affected code and the limited scope of affected products," Craig Young, security researcher at Tripwire, added. "Also, remember, that Microsoft did promptly release a 'fix-it' to disable the vulnerable code path." A fix-it is a temporary measure that is intended to limit the risk of a vulnerability before a full patch is issued.
 The other big critical item on Microsoft's December Patch Tuesday list is the MS13-097 cumulative security update for Internet Explorer. Unlike the November update, which patched a zero-day flaw, the December update deals with seven privately reported vulnerabilities that are not currently being publicly exploited. "The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer," Microsoft warns in its advisory. "An attacker who successfully exploited the most severe of these vulnerabilities could gain the same user rights as the current user." The flaws in  MS13-097 were privately reported, but they may have private exploits that go with them to prove that the vulnerability exists, Tommy Chin, technical support engineer at CORE Security, told eWEEK. "Hopefully, [the private vulnerabilities] are in the hands of the good guys," Chin said.Wolfgang Kandek, CTO of Qualys, told eWEEK that overall he is continuing to see many vulnerabilities in Internet Explorer, so there is a lot of interest in browser security, both on the security researcher side and attacker community. "It was a good move by Microsoft to go to monthly updates as we don't really see the volume in browser attacks going down," Kandek said. Even with all the flaws patched by Microsoft this month, at least one known vulnerability that is currently under attack was left out.

At the end of November, Microsoft Security Advisory 2914486  warned about a vulnerability in a kernel component of Windows XP and Windows Server 2003 identified in CVE-2013-5065. As to why Microsoft did not patch the issue with the December update, Chin suggested that  Microsoft probably wanted to address all the remote code execution vulnerabilities first.  The Windows kernel flaw, in contrast, is a privilege escalation issue. In a privilege escalation attack, the attacker gains access with low-level credentials and then is able to elevate their privileges once inside, to a higher level of access. "Privilege escalation is very dangerous, but only if you have a way in," Chin said. "Assuming you patch all the remote code execution exploits, the only way to run privilege escalation exploits is with stolen credentials." Russ Ernst, group product manager at Lumension, told eWEEK that he wasn't too surprised that Microsoft has decided not to include the coded fix for Security Advisory 2914486. "Although there are known active exploits against the vulnerability described in CVE-2013-5065, the affected systems are limited to Windows XP and Windows Server 2003," Ernst said. "There is a published workaround to mitigate the attack, and the impacted platforms move to end-of-life next year, which may have pushed this to a lower priority than today’s already large release of 11 security fixes." Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

FCC halts AT&T plan to raise Internet prices on Sprint and...

Like the price of a barrel of oil, AT&T backhaul rates affect everyone—even you.