Tuesday, April 29, 2014

A Serious Security Flaw in Internet Explorer; What It Means for the IRS, Your ATM and You

By Micah Armantrout

According to cnet, a new vulnerability has been found in all versions of Internet Explorer. This bug has been found after Windows XP was decommissioned from Microsoft's extended support.
The CNet Article states:
"The vulnerability is currently being exploited by a group of hackers targeting financial and defense organizations in the US."  FireEye told CNET.
The IRS may be one of the organizations under attack. Computer World  reports that the IRS has no't completed its upgrade from Windows XP to Windows 7.
During an IRS budget hearing on April 7 before the House Financial Services and   General Government subcommittee, the chairman, Rep. Ander Crenshaw (R-Fla.) wondered why the agency had not wrapped up its Windows XP-to-Windows 7 move.
"Now we find out that you've been struggling to come up with $30 million to finish migrating to Windows 7, even though Microsoft announced in 2008 that it would stop supporting Windows XP past 2014," Crenshaw said at the hearing. "I know you probably wish you'd already done that."
According to the same Computer World article, the IRS is now paying extra for a custom patch job:
Part of that $30 million will be payment to Microsoft for what the  Redmond,  Wash., developer calls "Custom Support," a program that  provides patches for critical vulnerabilities in a retired operating system.
Guess what?
Earlier this year, analysts said Microsoft had dramatically raised prices for Custom Support, which previously had been capped at $200,000 per customer for the first year. Instead, Microsoft negotiates each contract separately, asking for an average of $200 per PC for the first year of Custom Support, those analysts said.

Things get even more interesting with ATMs. According to Business Week,most ATMs could also be affected by the same kind of problem that the IRS is dealing with.  If an ATM is running Windows XP, which according the article is about 95 percent of the worlds ATM's,  then ATM operators are also having to deal with an extra charge from Microsoft;  that is if they are actually paying extra for the "Custom Support".

Some ATM operators may not be doing so. Their ATM's are, thus, more susceptible to attacks. It's not clear that any bugs have yet been designed to hack ATM's using this flaw, but it may be only a matter of time.
As for any other businesses who have not switched from XP. This should be done immediately or you may end up paying Microsoft lots of money and explaining to customers why their data was so vulnerable to attack.

6 comments:

  1. ATM are not directly connected to the internet so the vulnerability does not matter.

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete
  3. Where is all the ObamaCare data stored? (Or is the infrastructure so messed up it doesn't get stored?)

    ReplyDelete
  4. Liberista ... no they are not directly connected to the internet .... but with a virus indirectly connected is enough to make this a big deal

    ReplyDelete
    Replies
    1. Micah... Not really. If an attacker can get an atm to open IE and point it at a specially crafted Web page then that atm is ALREADY owned and this flaw is the least of their problems.

      You want to know a secret? The vast majority of embedded systems, be they atms, cash registers, video security systems or whatever are virtually never updated due to the maintenance and compatibility issues. Heck, I still have customers running POS systems on Windows NT and OS/2

      Delete
    2. Anonymous ... yes your right this particular flaw (Dealing with Internet Explorer) does not apply to ATM's which was previously stated in the article. Its the idea that Windows XP has past end of life and will not be patched in the future unless a contract is setup with Microsoft. As far as old systems go I am very familiar that they don't get updated ...which is not always a good thing if they are connected to the internet and new vulnerabilities are found it put the business at risk ... which was the whole point of the article :)

      Delete