Apart from keeping servers and endpoints secure, IT teams in enterprises also make sure that day-to-day business operations run smoothly. With this in mind, IT groups often delay installing security updates once software vendors release them for several reasons. For one, applying patches often require restarts for mission critical servers and at times these may require services to go offline. Tests and actual deployment on patches may also take up to 30 days or more because IT teams also need to research on the effects of these patches.

Ultimately, the need to avoid business disruption in order to meet SLAs and reduce operation costs can force IT teams in charge of security to deprioritize patch management. In short, operational concerns and compliance mandates tend to prevail over security.

As a result, this introduces windows of exposure leading to these security risks:

• Zero-day exploits: exploits that leverage vulnerabilities before vendor announcement and patch release
• “Buggy” or incomplete vendor patch: flawed patch released by software vendor to fix a vulnerability
• In-the-wild exploit: cybercriminals often use exploits as an infection vector or delivery mechanism

Read the rest of this entry »

Some malware are more persistent than others – like WORM_VOBFUS. This recent heap of WORM_VOBFUS variants seen spreading on Facebook does not exhibit new routines, but it is a good reminder for users about well-known but easily forgotten safe computing practices.

Based on our initial analysis, these WORM_VOBFUS variants that do not show any advanced routine or propagation technique. However, based on our Smart Protection Network™ feedback, the infection of these malware grew the past days.

Aside from spreading on Facebook, there is nothing new so far about WORM_VOBFUS. So why is it still a problem? Below are some persistent issues surrounding WORM_VOBFUS.

Read the rest of this entry »

We discussed last week the risks that out-of-office notifications pose for organizations – namely, that they could serve as leaks that an attacker could use to conduct successful attacks.

However, the threats from automatic e-mail replies don’t stop with out-of-office notifications. Two other types of automatic replies also pose a threat: bounce messages, and read notifications. Let’s deal with them one at a time.

Bounce messages – more formally known as non-delivery reports (NDRs) – have long been known to be a spam problem. However, they too can become a source for information leakage: improperly configured mail servers can leak details such as their host name, IP address, and software configuration. A skilled attacker can use this information in various ways – whether it’s technical (i.e., attack the server) or non-technical (build an org chart).

However, the primary usage of bounce messages would be to provide real-time confirmation of e-mail addresses. While e-mail addresses found online will probably work, bounce messages can be a more effective and accurate way to confirm email addresses.

Read receipts are even more problematic. For an attacker, it tells them whether an attack “succeeded” or not: i.e., if a human read the email. (Implicitly, it also tells the attacker that the email address does exist.) This is some of the most valuable information an attacker can get – he can use this information to gauge what kind of email his victims will read. In combination with web bugs, the attacker can even determine what software the victim is running.

Read the rest of this entry »