July 23, 2014

Microsoft stopping support for its anti-malware scanner on XP in 3 months time

microsoft logoThe bell has been tolling for Windows XP for a long time and even though Microsoft has given its 2001 operating system the occasional reprieve it looks like Redmond is set on ridding itself of arguably its most popular OS. As well as mainstream ending support, including security updates, from April 8th 2014, Microsoft will also stop supporting its anti-malware scanner – Security Essentials.

Microsoft Security Essentials helps guard against viruses, spyware, and other malicious software and new definitions files and updates are provided on a regular basis by Microsoft itself. At the moment the current minimum requirements for the malware scanner is Windows XP Service Pack 3, however according to Microsoft’s end of support for XP page, Microsoft will also stop providing Microsoft Security Essentials for download on Windows XP after April 8th.

According to the latest data from NetMarketShare Windows XP is still running on 29 percent of PCs that access the Internet. That is a staggeringly large number of PCs and makes XP Microsoft’s second most popular operating system in use today. More PCs run XP than Windows Vista and Windows 8/8.1 put together. Only windows 7 is more popular than XP with some 47 percent of PCs using it.

But despite its popularity Microsoft is pulling the plug in less than 90 days. Microsoft itself acknowledges that continuing to use Windows XP after the support ends will make your PC “more vulnerable to security risks and viruses.”

What makes this even more concerning is that XP is still very much under attack from cyber criminals and hackers. Only last month  Microsoft issued a warning about a zero-day vulnerability in XP that allows attackers to gain elevated privileges. Once the attackers have system level privileges they can install programs; view, change, or delete data; or create new accounts with full administrative rights. December’s security updates from Microsoft contained several patches, some Critical, for Windows and only one of those patches didn’t apply to Windows XP. Extrapolating from this shows that Windows related security bulletins to be released after April will likely also affect XP but the OS will be left vulnerable. This means that cyber criminals will have a wealth of clues available for creating new exploits knowing that XP hasn’t been and won’t be patched.

By removing support for Security Essentials it seems that Microsoft is sending a strong message to XP users that now is the time to upgrade.

Imperva says anti-virus spend not proportional to effectiveness

Imperva-logo(LiveHacking.Com) –  The business security firm Imperva has conducted a study together with students from The Technion – Israeli Institute of Technology into the effectiveness of anti-virus products and come up with some startling numbers. According to the report, only 5% of new viruses are detected with the existing techniques used by anti-virus products. In time the anti-virus vendors do update their signature databases but, put simply, the majority of anti-virus products can’t keep up with the rate of virus creation and propagation.

What this means is that if the detection of new, previously unknown viruses is used as the measure of success then consumers and businesses are spending a total of $7.4 billion a year on anti-virus products that don’t work. A lot of this spend comes from Enterprises attempting to adhere to some compliance standard. Imperva suggest that relaxing anti-virus compliance standards could free money which could be spent on other security software.

“One reason why security budgets devote too much money to antivirus is compliance. Easing the need for AV could free up money for more effective security measures,” wrote Imperva in the report.

Imperva recommends that existing anti-virus software should remain in place, but that security teams should use more resources on identifying aberrant behavior such as unusually fast access speeds or large volume of downloads.

The report also noted that the best way for a piece of malware to have long term success was to shun popularity. Antivirus products are much better at detecting malware that spreads quickly as the malware appears quickly on the radar of the anti-virus companies. However malware which has a limited distribution (such as government sponsored attacks) usually have a prolonged window of opportunity.

AV-TEST removes its certification for Microsoft Security Essentials

(LiveHacking.Com) –  The latest set of tests performed by AV-TEST, an independent IT security and anti-virus research institute  has shown that Microsoft’s Security Essentials (MSE) can only detect 64 per cent of zero-day threats when running under Windows 7. This is down from 69 per cent in the previous round of certification tests, which were carried out in September, and a drop of 26 per cent compared to the 80% result achieved by the product in June. As a result of the dip in performance MSE has lost its certified status for Windows 7, something that no other anti-virus product managed to do!

MSE is Microsoft’s free anti-virus package for home users and businesses (with up to ten PCs). During October’s tests AV-TEST gave MSE 4.0 and 4.1 a score of 1.5 out of 6. This very low score is down from its previous score of 2.5 out of 6 mainly due to the 64 per cent zero-day detection rate. The average zero-day detection rate is 88 per cent.

This doesn’t mean that the software is completely useless, in the “detection of widespread and prevalent malware” category, MSE scored 100 per cent (which is actually also the industry average). What this means is that for common bits of malware PCs are very well protected by MSE, the problem is with its protection against 0-day malware attacks (including web and e-mail threats).

This isn’t the firs time MSE has lost the AV-TEST certification, it also happened in September 2010. To be fair to Microsoft, although it was the only vendor which failed to achieve certification for Windows 7, four other products missed out for Windows Vista and two for Windows XP.

“Microsoft prioritizes protection based on impact and prevalence of malware affecting Microsoft customers from a global perspective,” a Microsoft spokesperson told SecurityWeek in an emailed statement. “The Microsoft Malware Protection Center actively supports third-party testers to use similar methodology in their test results. We reaffirm that Microsoft is committed to providing a trustworthy computing experience and continues to invest heavily in continuously improving our security and protection technologies.”

Four security products scored 6 out of 6 for Windows 7 protection: Bitdefender: Internet Security 2013, F-Secure: Internet Security 2012 & 2013, Trend Micro: Titanium Maximum Security 2013 and G Data: InternetSecurity 2013. Bitdefender was the only product to achieve 6 out of 6 for the repair metric which tests how well a product cleans and repairs a malware-infected computer.

Multiple critical vulnerabilities found and almost fixed in Sophos Antivirus

(LiveHacking.Com) – Tavis Ormandy has published a paper, called “Sophail: Applied attacks against Sophos Antivirus” which describes realistic attacks against Sophos Antivirus. Buried not too deep in the analysis is a working pre-authentication remote root exploit that does not require any user interaction. Tavis expects that this exploit could be wormed within the next few days.

As a result of the disclosure, Sophos has published a response outlining a schedule for fixing the vulnerabilities  Many of the holes have been patched already in updates published by Sophos on October 22. Further patches were released yesterday and on 28 November 2012 Sophos plans to release patches for bugs found by Tavis which cause the anti-virus engine to halt when parsing certain malformed files.

In each case Sophos are keen to point out that there is no evidence of these vulnerabilities being exploited in the wild.

Ormandy’s publication is his second paper in a series on Sophos internals. It puts into practice the results previously found in the first paper. It is intended for a technical audience and describes the process a sophisticated attacker would take when targeting Sophos users.

“By design, antivirus products introduce a vast attack surface to a hostile environment. The vendors of these  products have a responsibility to uphold the highest secure development standards possible to minimize the potential for harm caused by their software”, wrote Tavis in his paper.

Tavis did follow a responsible disclosure practice with these vulnerabilities. He informed Sophos in September about the problems and the anti-virus heavy weight requested two months to look into the bugs. However as he points out, “Sophos did allocate some resources to resolve the issues discussed, however they were clearly ill-equipped to handle the output of one co-operative, non-adversarial security researcher. A sophisticated state-sponsored or highly motivated attacker could devastate the entire Sophos user base with ease.”

There will be a third paper in the series which Tavis is working on now. It will be announced at a future date.

Google buys VirusTotal to boost its online protection services

(LiveHacking.Com) – VirusTotal, a free online service that analyzes files and URLs for malware, has been bought by Google. The purchase is seen by many as a way for Google to boost the protection it offers for its online services like Gmail and Google+. Since VirusTotal will continue to operate independently, the company plans to maintain its  partnerships with other antivirus companies and security experts.

VirusTotal works by aggregating warnings on user submitted files and URLs from all the major antivirus solutions, including Intel Corp’s McAfee and Symantec Corp. Once  a file or URL is received, VirusTotal performs the malware checks and then distributing the results to security vendors. Since those returned results include the original document and website in question, the service is sen as a valuable resource that allows the security industry to spot emerging threats.

“VirusTotal will continue to operate independently, maintaining our partnerships with other antivirus companies and security experts. This is an exciting step forward. Google has a long track record working to keep people safe online and we look forward to fighting the good fight together with them,” said the company on its blog.

Terms of the deal were not disclosed.

McAfee protects the Department of Homeland Security as it protects America

(LiveHacking.com) — The Department of Homeland Security, which was created in response to the September 11 attacks and is tasked with protecting the USA from terrorist attacks, has awarded McAfee (which is a wholly owned subsidiary of Intel) a multi-year Enterprise Level Agreement contract with a potential value of up to $12 million.

The contract is for the world’s largest dedicated security technology company to provide the DHS with a broad variety of enterprise wide network and system security support, products, and services. This new agreement follows on from a blanket purchase agreement contract McAfee was awarded last year by the same department. These two contracts mark a significant departure in the way federal agencies source security services.

“This deal is a reflection of the advanced level of collaboration that is going on within the Department of Homeland Security,” McAfee Regional Director for Federal Civilian Sales James Yeager said. “DHS is leading the way in terms of how a government agency can collaborate internally in order to craft a holistic, enterprise-wide approach to security, rather than a patchwork, which can leave agencies spending too much for what is ultimately substandard protection.”

To receive the contract, multiple Chief Information Officers within the DHS supported the decision. Since McAfee has served DHS since the department’s inception in 2003, continuing to work with McAfee reflects well on the company.

The deal expands and extends the DHS’s continuous monitoring and security capabilities and provides the department with an enterprise-wide framework to meet current and future security requirements. There are also significant short- and long-term savings on maintenance.

One in Six PCs Without Basic Security Software

(LiveHacking.Com) – A recent study has shown that world-wide 17% of all the computers have no anti-virus software installed and surprisingly the USA is one of the worse countries. Ranked in the bottom 5, 19.32% of USA consumers have no basic security software, of any kind, installed. This compares to the top ranked country of Finland where only 9.7% of consumer PCs are unprotected.

The study, which was conducted by McAfee, used a free diagnostic tool for Windows called McAfee Security Scan Plus. It is able to detect the majority of security programs available for Windows and also checked the computer being scanned for threats, anti-virus software and firewall protection. Data was collected from computers in 24 countries, and analyzed an average of 27 million PCs each month. This allowed McAfee to determine a global estimate of the number of consumers who have basic security software.

What is even more interesting is that in countries like Singapore, Canada, the USA and the UK upto 11% of the PCs scanned actually had some form of security software installed but it was disabled! Since basic security software is available for free from the likes of Microsoft, AVG and avast! it is extraordinary that users are running PCs without them. According to McAfee, many consumers still believe that by only visiting known “safe” sites, they’ll be protected from all forms of malicious content.

“The freedom to browse the Internet comes with the added risk of unwanted exposure, and cybercriminals are preying on unsuspecting victims,” says Steve Petracca, SVP and GM of consumer, small business and mobile at McAfee. “With the increasing number of global cyber-attacks affecting consumers, it is critical that the 17% of consumers that are unprotected update their virus protection before it’s too late.”

Recently, McAfee released its quarterly threats report for Q1 2012, which showed that PC-based malware hit a new high during the quarter and showed the largest single jump in malware numbers in the last four years.

McAfee Says Malware Surpassed 75 Million Samples in 2011

(LiveHacking.Com) – McAfee has released its Q4 2011 Threat Report (a PDF) and it shows that last year McAfee collected over 75 million unique malware samples! It also shows that 2011 was by far the busiest periods for mobile malware with Android the number one target for writers of mobile malware.

The most common type of Android malware is the for-profit SMS-sending Trojans, which earn cyber-criminals significant amounts of money by sending messages to premium services. The rooting Android devices is getting easier and easier and there are now apps which combine vulnerability exploits to root phones with the click of a button. However the downside of this is that malware writers can repackage the very same root exploits apps with malware.

There is a sliver of good news in that the overall growth of PC malware is on the decline and is much lower that this time last year. The report also noted a continued decline in Fake AV malware with AutoRun and password-stealing Trojan malware showing only slight declines. However the context of this is that McAfee’s cumulative number of unique malware samples exceeded the 75 million samples.

In Q4 2011, the most common type of remote attack was via vulnerabilities in Microsoft Windows remote procedure calls. This was followed by a very close race between SQL-injection and cross-site scripting attacks. The result is that the number of reported data breaches has more than doubled since 2009 with more than 40 breaches publicly reported in Q4 alone.

“Although the release of new malware slowed a bit in Q4, mobile malware continued to increase and recorded its busiest year to date,” Dave Marcus, Director, Security Research at McAfee said in a blog post.

McAfee to Patch Two Vulnerabilities in its SaaS for Total Protection

(LiveHacking.Com) – Two vulnerabilities have been found in McAfee’s SaaS for Total Protection, one of which allows a customer’s system to be used as a spam relay. The problem, which was exposed on British art firm Kaamar Limited’s blog earlier this week, has been gaining more and more public attention and now McAfee has started to release information about the issues and details of patches.

As spammers have started to exploit the flaw a number of McAfee’s customers have had their emails blocked after their IP addresses were blacklisted by anti-spam services. “It is believed that thousands of computers have been compromised so far, with more being affected every day,” said Kaamar in its original blog.

“The second issue has been used to allow spammers to bounce off of affected machines, resulting in an increase of outgoing email from them. Although this issue can allow the relaying of spam, it does not give access to the data on an affected machine. The forthcoming patch will close this relay capability,” wrote David Marcus Director, Security Research at McAfee.

According to an update on McAfee’s blog, the the patch for the spam issue is now rolling out to customers, and everyone should have the update shortly.

Norton Source Code Was Stolen in 2006 According to Symantec

(LiveHacking.Com) – The hacking group calling itself “Lords of Dharmaraja” caused a stir recently when they claimed to have stolen the source code for Norton Antivirus. Symantec, the makers of Norton Antivirus, quickly denied the allegations say that the hackers had source code for for Symantec Endpoint Protection 11.0 and Symantec Antivirus 10.2 which are both more than five years old. However Symantec have now acknowledged that source code for a 2006 version its Norton security products did in fact get stolen.

“Upon investigation of the claims made by Anonymous regarding source code disclosure, Symantec believes that the disclosure was the result of a theft of source code that occurred in 2006,” said Symantec spokesperson Cris Paden. “We believe that source code for the 2006-era versions of the following products was exposed: Norton Antivirus Corporate Edition; Norton Internet Security; Norton SystemWorks (Norton Utilities and Norton GoBack); and pcAnywhere.”

“Due to the age of the exposed source code, except as specifically noted below, Symantec customers – including those running Norton products — should not be in any increased danger of cyber attacks resulting from this incident,” he continued. “Customers of Symantec’s pcAnywhere product may face a slightly increased security risk as a result of this exposure if they do not follow general best practices. Symantec is currently in the process of reaching out to our pcAnywhere customers to make them aware of the situation and to provide remediation steps to maintain the protection of their devices and information.”

Affected products include:

  • Norton Antivirus Corporate Edition
  • Norton Internet Security
  • Norton SystemWorks (Norton Utilities and Norton GoBack)
  • pcAnywhere 12.0, 12.1 and 12.5
  • Symantec Endpoint Protection v11.0, which is four years old
  • Symantec AntiVirus v10.2, which is five years old code, and a product that has been discontinued

Symantec go on to say that “customers of Symantec’s pcAnywhere product may face a slightly increased security risk as a result of this exposure. Symantec is currently in the process of reaching out to our pcAnywhere customers to make them aware of the situation and to provide remediation steps to maintain the protection of their devices and information.”