Users still failing on basic security patching

A report into the state of internet security has found patching is still woefully poor among computer users.

Of the top ten exploited vulnerabilities in M86 Security's analysis of the first half of 2010 only one had been patched this year, while one fix was issued in 2006 and the majority were at least two years old. Half of the flaws were in Microsoft products, namely Internet Explorer, Access Snapshot and in video streaming controls.

“The attackers go for low hanging fruit,” Bradley Anstis, vice president of Technology said.

The level of client vulnerabilities and the differing access needs of users makes it difficult for IT departments to run a coherent patching strategy and makes locking down users an imperfect solution. Ideally almost no users should have admin access available but this was seldom realistic he said.

“Ideally is a great word: Ideally people shouldn't be logging on as admin, ideally should be closing things down as soon as possible but there's other issues.”

Hackers are also getting increasingly smart about hampering attempts to block their code the report finds.

It details a new attack using JavaScript to attack in conjunction with Adobe's ActionScript software, which sets up a communications channel via Flash so that only half of the attack code is exposed.

Spam levels in 2010 have now totally recovered from the shutdown of McColo and other rogue ISPs the report found, and spam now accounts for around 86 percent of incoming email to corporates.

The Rustock botnet is the biggest spam sender, accounting for over 40 percent of all detected emails. Over 80 percent of spam is for pharmaceutical products, usually with Canadian Healthcare or Canadian Pharmacy.

“Canadian Pharmacy is nothing to do with Canada,” explained Anstis.

“The company looks to be based in Eastern Europe. They used Canadian Pharmacy because in North America Canadians are seen to be a trustworthy, healthy well living sort of people.”