First Heartbleed and now this. Versions IE6 through IE11 of Microsoft’s Internet Explorer search engine were found open to exploitation according to an announcement Monday (April 28th) from Homeland Security. The bug leaves users vulnerable to websites containing malicious code that can create a backdoor in their computers for hackers.
Within four days, Microsoft announced that a fix for this zero-day security flaw that was tested and ready for release on May 1st. Microsoft included Window XP in the fix despite the announced cessation of support for that operating system a month earlier.
According to a blog from Peak 10 technology partner, SilverSky, this has happened before. “Attackers have exploited many little-used legacy components such as the “Clippy” agent, information cards, tabular data controls and Microsoft-specific video formats — just to name a few. As long as customers use IE, there will continue to be a large attack surface related to these older components,” wrote Silversky’s Andrew Jaquith, CTO and SVP of Cloud Strategy.
Peak 10 customers should take note. Legacy applications, forgotten data files and long-neglected workarounds to problems can be potential security flaws in your own infrastructure. In your efforts to keep your customers happy by maintaining the status quo, some of these conditions may have passed their useful lives. They are often out of date and not maintained. The IT staff responsible for them in the first place may have taken that institutional knowledge with them to some other company. And, speaking of large attack surfaces, remember that hackers penetrated Target’s security defenses via a network connection through a Target vendor.
Too much can never be said about the importance of viewing IT operations with a critical eye, enforcing security policies and undergoing regular audits, as well as making sure business partners do the same. Having considerable expertise in this regard, Peak 10 is always here to provide guidance and assistance.