January 15, 2013, 10:55 AM —
If you work in IT security, this week started off with a bang, as Oracle and Microsoft released critical, out-of-cycle patches to fix serious and exploitable holes in their software. The patches put an end to the haranguing each company was getting from security experts, but it certainly isn't the end of the story - or the hand wringing for organizations already wary of attack.
First, on Sunday, Oracle Corp., which manages the Java technology, pushed out a much anticipated update to its Java Standard Edition 7 software, closing a security hole that is being actively exploited in web-based attacks that install crimeware and other malicious programs. Java Standard Edition 7 Update 11 replaces Update 10.
Then, on Monday, Microsoft broke with its monthly patch cycle to fix a critical hole in some older versions of the Internet Explorer (IE) browser. The company pushed out MS13-008 for IE versions 6-8 almost two weeks after reports of sophisticated online attacks that exploited the previously unknown hole.
But the software fixes from Oracle and Microsoft are unlikely to keep customers secure for long. Prominent security researchers have noted that Oracle has yet to fix multiple, critical holes in Java. And Adam Gowdiak, a researcher at the Polish firm Security Explorations, says that the latest critical hole stemmed from an unsuccessful effort to close a hole reported to the company in August, 2012. Look for more scrutiny of Oracle's handling of reported holes in the ubiquitous Java technology, which runs on an estimated three billion devices globally.
If you get really upset by stories about gaping security holes in the computer systems that keep your lights on and your water drinkable, you might just want to stop reading the news this week. That's because the annual S4 Conference in Florida, which kicks off on Tuesday, will be generating a steady stream of wince-inducing reports on the flimsy security controls that make our advanced civilization run. SCADA and industrial control system (ICS) software has been in the spotlight ever since the Stuxnet worm started wiggling across systems that run Iran's secretive uranium enrichment operation, and S4 brings together some of the globe's top experts in the security of industrial systems.
Among the presentations are discussions of security holes in commonly used medical device software, as well as ways that cyber attacks could be used to cause physical damage to electrical substations and other critical infrastructure. So get yourself ready for lots of worrying sounding news from S4 and stone faced advisories from the folks at DHS. In fact, the fun started even before the SCADA and industrial control experts had convened in Florida. The Department of Homeland Security's ICS-CERT warned on Monday about RF-based vulnerabilities in Siemens' Simatic software.