Facebook.com/storetec Storetec Services Limited
Microsoft Warns Of Potential Attacks Microsoft has warned of a potential compromise to data security in the graphics component used in several of its most common applications, which may leave the door ajar for hackers to access private information. It said Windows, Office and Lync were potentially at risk from "a remote code execution vulnerability that exists in the way affected components handle specially crafted TIFF images".
It explained: "An attacker could exploit this vulnerability by convincing a user to preview or open a specially crafted email message, open a specially crafted file, or browse specially crafted web content. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user." This risk is mitigated by certain factors, Microsoft noted. One of these is that any hacker would only have the same user rights as the person at the other end who unwittingly permits them access. This means accounts configured with limited user rights will face less potential impact than those where the user has administrative rights and therefore access to more data. It also noted that the web-based hacking scenario is dependent on the user being prompted to view the attacker's website, something nobody can actually be forced to do.
Even so, the fact that such an issue can arise may cause considerable concern, not least for users of various Windows 2008, Office 2003, 2007 and 2010 and Lync 2010 packages (there are many other Microsoft applications not affected, such as Communicator and Office 2013 packages). Naturally, Microsoft is working on the problem, via its Microsoft Active Protection Programme. It stated: "Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs."
For many companies, this situation may offer ample evidence of the need to ensure their information security is given top priority. One way to do this is to have data stored remotely and off-site. This means, for instance, data can be backed-up out of reach of potential hackers, so that cyber-attackers who seek to alter the details stored on the inhouse system will not be able to destroy or alter all the data in an irretrievable fashion. This means data recovery will remain possible even after a major cyber attack that makes a big mess of everything stored on an in-house system.
Data security requires plenty of expertise and when even Microsoft's technology can contain weak points, that message is hammered home. Back-up can be invaluable in such situations. Security failure can, of course, be exacerbated by user error; a point emphasised by new research on the security breach at Adobe last month, during which the details of millions of users were stolen. Updated figures released by the company at the end of last month showed 38 million active accounts were affected and the total number of compromised accounts, including dormant ones, may have been as high as 150 million.
While the original loss of data was due to the company's inability to withstand a cyber attack, those who have taken the details may have found it much easier to gain access to every last item due to the slack passwords being used. Examples of this included no less than 1.9 million users adopting the simplistic 123456, while other common words used were "password", "adobe123", "photoshop", "abc123", "123123" and "adobe1" are among the top 20 most used, making the job of guessing them easier for hackers.
Worse still, once a password has been identified it can open up new vulnerabilities, as the user may deploy the same arrangement of letters and numbers for other accounts, so a hacker may access other accounts and applications too. However, while wise users will adopt some fairly obscure passwords that would be hard to guess in the first place, the fact remains that Adobe's technology was found wanting in the first instance. It therefore remains as true in this case as that of the possible Microsoft hacking victims that storing data remotely can help ensure better data security.
Storetec News/Blogs."http://www.storetec.net/newsblog/microsoft-warns-of-potential-attacks". Microsoft Warns Of Potential Attacks. November 6, 2013. Storetec.