Security Advisor

End of Support for XP, IE 6 May Pose Major Security Risks

• By Jabulani Leffall
• 03/22/2011

Internet Explorer remains the world's most prominent and pervasive way to access and surf the Web. We don't have to tell you that it's popularity also means it's the biggest attack vector for hacks, malware and botnet deployment, corrupt links and many other tools that hackers pull out of their hats.

And just as Internet Explorer has evolved, so has the OS its sits on, and so have the hackers' methods of attack. And this makes the end of support for Windows XP, which is 10 years old, all the more real to other browser makers -- Mozilla's Firefox, Google Chrome, Apple's Safari for Windows and Opera Software's Opera -- who continue to support it.

Microsoft said that with IE 9 it's all about hardware acceleration but its competitors, particularly Mozilla, think there may be some operational and security implications Microsoft is ignoring by ending its support for XP.

Here's some perspective: According to Web analytics firm Net Applications, just last month XP accounted for 55 percent of all operating systems used to connect to the Web. In other words, more than half of all Internet traffic is running on an unpatched, unsupported OS.

For its part, Microsoft is pushing hard to discontinue IE 6, which is XP's default browser.

Since XP is widely in use both in America and is predominant in Asia, there's no doubt that issues such as rootkits designed for the unsupported OS could remain a possibility. So, for Microsoft, ending XP support and scrapping IE 6 is necessary and pragmatic business.

Flash, Reader Fixed
Adobe Systems released two updates to begin the week. One was for its PDF Reader and Acrobat program and the other was for its Flash Player, which plays digital video and audio.

Microsoft was most concerned about the Flash Player vulnerabilities. In the latest entry on its Security Research and Defense blog, Redmond had been urging users of Office applications to "enable a number of security protections called 'security mitigations'," for the bug in Adobe's Flash Player.

Specifically Redmond said enabling the Enhanced Mitigation Experience Toolkit would go a long way in helping stave off bugs from third-party applications that can be deployed on a Windows platform, during an IE browser session, within an Office document or attached in an Outlook e-mail.

"It's a good idea to configure EMET to protect not just Excel, but all of the Office applications, as even though the attacks we've seen only target Excel, Flash Player can also be hosted in other Office applications as well," wrote Microsoft Security Response manager Andrew Roths and security engineer Chengyun Chu.

Microsoft, Yahoo! Concerned About Internet Safety
A consortium including Facebook, Ninemsn, Yahoo! and Microsoft appeared before Australian Parliament committee this week saying that more needs to be done to shore up safety on the Internet.

This is for everyone generally and for social media users specifically the group told the panel of Aussie lawmakers that Internet Filters for trusted sites among adult and enterprise users as well as parental controls on MACs and PC's for parents weren't enough.

Microsoft's top security adviser in the Land Down Under, Stuart Strathdee, said there was a "general misconception among people that they are safe on the internet."

"People just believe they're protected," he told the panel in hearings on Monday, adding that better education about online safety and privacy was critical. "We need to look at other programs."
 
The committee meeting is part of an ongoing program among tech giants to get governments around the world involved in a more uniform cyber security code that can be tracked, monitored and prosecuted across borders and in different jurisdictions.
 
Among the remedies the panel proposed were the inclusion of a cyber safety manual with the sale of every PC and Web-enabled mobile phone, and more pervasive business standards.

Another recommendation is the creation of an "Internet czar" based in the prime minister's office to work with cabinet-level counterparts in other countries and to coordinate the fight against cyber criminals.