Microsoft Security Issues Announced
On Tuesday, Microsoft issued an IT Security warning to users of Microsoft Windows Vista, the Microsoft Office suite and other software. Though the affected software is somewhat outdated, the IT Security risk still lingers for many organizations that continue to use these products. The affected software suites are:
- Microsoft Windows Vista
- Microsoft Lync
- Microsoft Office 2003-2010
- Windows Server 2008
The vulnerability is similar to many other attacks in the way that it requires user interaction. Dustin C. Childs, Group Manager of Response Communications for Trustworthy Computing at Microsoft Corporation warns of a specific scenario that has been exploited in the Middle East and Asia. In these attacks the exploit lies in an email requesting that the potential victim open a specially crafted Word Attachment. Once the file is opened, the breach is complete and the cyber attacker will have the same access and user rights as the victim. This is done by deploying a malformed graphics image embedded within the word document. The Microsoft Security spokesperson Dustin C. Childs’ official statement explaining this can be found here. The Microsoft Security Advisory (Microsoft Security Advisory 2896666) can be found here.
The most impactful thought about this entire scenario is the widespread use of these products. In earlier articles we mentioned the Adobe Breach which eventually affected approximately 38 Million users. Though the products that were hacked at Adobe are widely used, there is no comparison to the potential security issues with these Microsoft Products. There could be Billions of copies of this software still in use today, making this a pretty scary scenario.
How to Protect Your Organization from the Microsoft Security Issues:
There are a number of methods that your organization should convey as common practice to each of your employees. One of the most important things you can do as an IT Administrator is to better control access based on a need-to-know role within the organization. This will help minimize collateral damage if an IT Security breach were to occur. We would also suggest having an Incident Response plan in place if a breach were to occur. Another thing that your organization could do is to conduct regular Security Awareness Training to educate all of your employees, contractors and temporary staff on best practices to protect the data they control and access. Correct use of email and portable storage device security are some of the major topics covered in these events.
Microsoft is advising users to apply “workarounds” which is simply a special configuration or setting that will minimize the opportunity of a breach until the official security update is offered and pushed out to the masses.
If your organization is using any of the above mentioned Microsoft products and are concerned about your security, we would like to speak with you to help ensure the protection of your sensitive information and valuable business data.