In the cloud-based productivity space, Google and Microsoft are clear innovators in their efforts to give businesses an easy way to transition away from on-premises IT, and operate more like a lean start-up than a traditional enterprise or small business. A traditional enterprise or small business, however, shouldn’t have to sacrifice security if they want to operate like a lean start-up. Unfortunately, the hosted email services provided by Google and Microsoft leave a critical gap in the security posture of any business with sensitive information.

When you host email in the cloud, as with Google Apps for Business or Microsoft Office 365, there are two key areas that you need to focus on when addressing security. These areas are, naturally, the inbound and outbound flow of your mail – essentially what you allow in, and what you allow to leave. For the inbound flow of email, your concerns around viruses, spam, and some phishing attacks will be covered partially by these hosting providers. Neither Microsoft nor Google however, do a particularly good job inspecting outbound email for sensitive content.

Not protecting your outbound email data is like walking outside in the cold of winter with a t-shirt and no jacket. Sure, you’re partially protected, but you’ve clearly left yourself out in the open. Email is an inherently insecure communication platform, and anything you don’t want the public to see, you need to protect. The best practice in this situation is to layer up. McAfee makes it very simple to layer outbound email protection onto Google Apps for Business and Microsoft Office 365 by simply checking a box in our management console.

Literally a checkbox. This option allows you to filter outbound email traffic for sensitive data, action upon it as desired, and even encrypt email with push/ pull encryption. With most solutions, you would need to manually input hundreds of IP addresses into your email security service to inspect email originating from Google or Microsoft. Not to mention if either vendor makes any update to their IP space, this vast range of addresses would need to be updated on your end as well. Using our service, all of that is taken care of by McAfee.

It really all comes down to simplicity and making it easy to protect information. We want you to thrive as technology advances, not fall victim to the new vulnerabilities it presents. We’ve significantly reduced the time and complexity of layering our email security onto leading hosted email providers so you can continue to adopt the technology that is right for your business.  We’re always open to suggestions for how we can better integrate our products into your technology environment. If you have anything to suggest, take a minute to join our online community and let your voice be heard.

Although Windows 8 is an improvement from its predecessor, the new OS still contains vulnerabilities. Some are well documented, while others have yet to be found. For complete security and consumer peace of mind, below are 8 facts about Windows 8 you should know to make sure you’re protected.

1.  Scammers Take Advantage of Windows 8 Excitement  

There’s no such thing as a free lunch. If you’re shopping around for Windows 8, don’t fall for scams that offer free versions or deep discounts. Scammers historically exploit consumer news to find victims online, and Windows 8 is no exception.

It might be tempting to click that link offering a free copy of the OS, but always remember that there could be viruses or other malware waiting on the other side. The sites themselves could also be fraudulent, looking to steal personal information such as your credit card number.

2.  Secure Boot is an Improvement with Limits

Windows 8′s new Secure Boot feature only allows pre-approved applications to load during startup. This means the only applications that load are ones you have authorized.

However, Secure Boot has its limitations. It essentially locks down devices to prevent users from running non-Windows systems, open source software (like free programs), or applications not created by Microsoft or a validated third party.

3.  Running Non-Microsoft Applications? You’re at Risk.

One of the most popular antics of hackers today is to target applications that run on multiple devices such as Adobe Acrobat Reader or Java. This makes sense, because if someone is going to write malware, then why not get the most bang for the buck by having it run on PCs, Macs, smartphones and tablets.

4.  Dangerous Download Warnings Don’t Promise Protection 

SmartScreen works for all browsers on Windows 8, automatically checking downloads from the Internet to see if the file or program is known to be malicious. Part of this check includes download history as well as the popularity and reputation of the file. If the download receives a low rating, SmartScreen offers a warning message to users.

While the feature is helpful, the fact that it’s available doesn’t mean users will heed its warning. SmartScreen becomes ineffective if the user decides to override the system and download the suspicious file anyway. It’s also important to note that SmartScreen only applies to the reputation of the file or website. It does not extend to unique phishing scams on social networks such as Facebook. This is crucial to understand, as McAfee has seen a dramatic increase in hackers using social media to spread malicious materials.

5.  Picture Password is Fun, But is it Secure?

One of the many touch-based features, Picture Password is a new security login option where users choose a picture and set a three-gesture “password” sequence.

Although fun and easy to remember, anyone looking over your shoulder could log into your system.

6.  Windows App Store Screens for Security

With all of the apps out there today, it can be hard to figure out which ones are safe to use. Hackers know what Microsoft looks for in Windows App Store applications and it won’t be long before they circumvent their controls with malicious code or other ways use those apps to scam users.

7.  Security with Internet Explorer 10

Internet Explorer 10 is Microsoft’s safest browser yet. However, if you’re like most people and prefer an alterative browser such as Google Chrome or Mozilla Firefox, you’re out of luck. MS does not extend any security capabilities to those browsers.

In addition, no matter how secure IE 10 ranks, there will always be vulnerabilities and patches Microsoft needs to address.

8.  Windows 8 Continues to be in the Crosshairs of Malware Writers

Even with all the advancements in security that Microsoft made in Windows 8, they are still – by far – the most targeted company by malware writers. The reason for this is simple: They have the most systems out there, and hackers always try to exploit vendors fortunate enough to have the bulk of computing devices using their operating system.  As a word of caution, Android is experiencing this today as well.

With Windows 8, Microsoft requires that every system have anti-virus software installed and operational. We applaud that requirement, but what’s important is that you choose a security provider with a proven track record of delivering highly effective protection against evolving threats, and whose software offers security attributes beyond basic anti-virus protection.

Whether you’re considering an upgrade, researching your options, or already using Windows 8 – remember that even with security improvements, it’s still essential to have a dependable security solution to protect legacy applications. McAfee’s security solutions are compatible with all versions of Windows (including Windows 8) and with our wide range of products, you’re bound to find one for your needs. For more security news and updates, follow us on Twitter @McAfee and @McAfeeConsumer.

But, I also see the world from a very different perspective – one that makes me realize that with every exciting new technology released there are risks.  Exploits are being developed almost in lock-step with new releases and upgrades.  This is why I have mixed emotions around the new Windows 8 and Windows Server 2012 release that’s coming out on October 26.

Yes, Microsoft is rolling out an extensive array of new features and Windows 8 is also including “mitigation enhancements that further reduce the likelihood of common attacks.”  But, here’s the catch: these are complex operating systems and we anticipate they will exhibit critical vulnerabilities that will be exploited by malware writers. 

Take signed drivers for example.  Signed drivers are one of the most significant security innovations in Windows 8 and may also be the biggest target for future attacks.  Attackers have discovered that if they sign their malicious payloads with stolen or rogue certificates they can defeat some file scanning and filtering products as well as white listing products.  According to the McAfee Q2 Threats Report, the number of known signed malware samples nearly doubled in Q2 – which is especially unnerving in this context.

So, with great power comes great responsibility.  Even with these enhancements, Microsoft has stated that “all Windows 8 users should be protected by traditional anti-malware software.” This is where McAfee comes in.  Our developers have been working closely with Microsoft to ensure that our products are designed to support Windows 8 and Windows Server 2012 – offering consumers and enterprises the tools and security necessary to protect against all threat vectors and subsequent data loss.

To that end, it’s important to know that McAfee’s protection extends beyond the endpoint and starts with the network.  McAfee Network Integrity Agent (NIA) has the ability to send connection information from Windows 8 machines to the McAfee Firewall Enterprise that can then be used for policy decision making and auditing.  NIA monitors the system for outgoing connections such as zero-day malware on the new Windows 8 Windows Runtime (WinRT) environment.  McAfee Network Security Platform can also detect attacks targeted at the new Windows 8 Runtime environment.  Signatures written by McAfee Labs will have the ability to detect these targeted attacks and block or log them to a SIEM.

Another thing to consider is that the new OS is capable of determining whether a download, application or executable is allowed.  My experience, however, is that by then, perimeter security has already been compromised.  At McAfee, we believe in a security connected philosophy which also includes a Web Protection solution.  Validating the payload, filtering the malicious software, and controlling all types of web applications and media downloads should be done as far away from the network as possible.  By using McAfee products, our customers can feel confident that they are using a comprehensive, multilayer security system that offers strong protection against known and unknown threats.

Adding the CVE IDs (for Common Vulnerabilities and Exposures) listed in each patch does not give us accurate view of the number of vulnerabilities involved. Several appear in more than one patch: For example, CVE-2011-0191 and CVE-2011-0192 are listed in five patches (Apple TV 4.2, iOS 4.3, iTunes 10.2, Mac OS X v10.6.7/Security Update 2011-001, and Safari 5.0.4).

After eliminating multiple entries, we discover that the 256 March issues are linked to 123 CVE references. Taking a look at 2010, we see 468 CVE covering the whole year. And I have not forgotten the one in January 2011.

CVE-2006-7243 is the oldest vulnerability covered by the 2011 patches. All others are from 2010 and 2011. Here’s what we’ve seen in the last 15 months:

• 1 CVE from 2003 (CVE-2003-0063)
• 2 CVE from 2006 (1 in Q1 2011)
• 11 CVE from 2008
• 68 CVE from 2009
• 428 CVE from 2010 (41 in Q1 2011)
• 82 CVE from 2011 (all covered in 2011)

 
Is it possible to make a comparison between Apple and Microsoft?

During the same period (from January 2010 to March 2011), Microsoft published 123 security bulletins and patched 298 software flaws (CVE).

We can quickly compare by the level of criticality. On the Apple side for 2011, only one vulnerability has a low rating. All the others (123) were named as critical (by Vupen) or highly critical (by Secunia). On the Microsoft side one vulnerability was labeled moderate, 20 important, and eight critical.

Thus in the last 15 months Apple has corrected twice the number of flaws as Microsoft.

While this is fantastic news for the masses, a small paragraph was included in Microsoft’s “Interoperability Undertaking” that will bring holiday cheer to the security-minded:

(42) Microsoft shall ensure on an ongoing basis and in a Timely Manner that the APIs in the Windows Client PC Operating System and the Windows Server Operating System that are called on by Microsoft Security Software Products are documented and available for use by third-party security software products that run on the Windows Client PC Operating System and/or the Windows Server Operating System. These APIs will be documented on the Microsoft Developer Network, unless open publication would create security risks. In such circumstances, Microsoft will provide third-party security vendors with access to such APIs pursuant to a royalty-free license and on fair, reasonable and non-discriminatory terms.

Let’s break this down. Microsoft is committing to providing “timely” APIs for both Windows client and server operating systems “that are called on” by Microsoft’s own security products. The key points are “timely” access to APIs that may not have been documented in the past but used by Microsoft in their own security product. While I applaud Microsoft for incorporating an element that deals with security in this settlement, one has to wonder what APIs are out there that the other security vendors don’t know about. As a security vendor, I firmly believe it is in the best interest of all our customers to provide the best security possible, and getting access to all the relevant APIs is a step in the right direction. I sure hope that “timely” access is not measured in years.

I personally look forward to working with Microsoft on operationalizing the above paragraph. In the end, the browser boys got a win and so have the security geeks. So for me, this isn’t case closed, but rather the beginning of the next chapter in helping to protect our collective customers.

According to PC World:  “Microsoft says it will deliver its largest-ever number of security updates on Tuesday to fix flaws in every version of Windows, as well as Internet Explorer (IE), Office, SQL Server, important developer tools and the enterprise-grade Forefront Security client software.”

Of the 13 bulletins, eight are rated “critical” by Microsoft, the company’s highest risk rating. Five are deemed “important,” one notch lower on Microsoft’s severity scale. Nine of the vulnerabilities had been previously disclosed, allowing cyberattackers a way to break into Windows systems before the fix was available.

This kind of craziness leads companies around the world to engage in what I call “patch panic” – security administrators and IT management scrambling to try to understand each patch, what systems might be vulnerable, what threats could exploit those vulnerabilities, potential implications to their business (and how many nights and weekends they are going to have to work).  Some companies will spend weeks trying to collect this information to make decisions on which systems to patch and many will patch systems that don’t require it.  Hours, days and weeks of productivity will be lost.  What a waste of time.

The good news is, it doesn’t have to be this way.  McAfee recently announced one of the most creative products I’ve ever been associated with – McAfee Risk Advisor – the first and only risk analytics solution to eliminate the manual, time-consuming and error-prone approach associated with patching efforts.  We do this by correlating threat, vulnerability and countermeasure information to pinpoint which assets are truly at risk for a specific threat.  It works in conjunction with McAfee Labs Global Threat Intelligence and Vulnerability Manager (formerly Foundstone), as well as countermeasures such as McAfee’s Network Security Platform (formerly IntruShield), Host Intrusion Prevention and VirusScan Enterprise to provide a complete picture of risk posture.

McAfee customers with our Host Intrusion Prevention and antivirus products had protection in place before these vulnerabilities were announced, due to our partnership with Microsoft.  Buffer overflow protection capabilities within these products mean that customers receive out-of-the box protection and are not dependent on signature updates, unlike other vendors’ offerings.  Customers using our Application Control (formerly Solidcore) have absolutely no need to patch those systems, because they are completely blocked from these vulnerabilities.  This week’s news also highlighted the most popular threat trend around malicious sites and web attacks, like last week’s Adobe PDF vulnerability.  McAfee’s Web Gateway protected our customers from these vulnerabilities even before the announcements.

The bottom line is that life in IT security doesn’t have to be a huge process any more – we can eliminate “patch panic” and the countless lost hours, money and downtime that most people now take for granted.  We can also reduce the number of patches that need to be applied and let you apply them when it is least disruptive – drastically reducing patching costs and risks, while improving overall system availability and security.

We help customers patch on their schedule, not someone else’s.

Windows 7
The barrage of security fixes comes a week before Microsoft is expected to officially release Windows 7, a new version of Windows. Five of the security bulletins released today fix security vulnerabilities in the yet-to-be-released operating system, indicating that Windows 7 will bring little change when it comes to the security of Windows.

Booby-trapped Web sites
Many of the vulnerabilities addressed by the fixes could be exploited if a Windows user simply visits a malicious Web site or opens a rigged media file, favorite attack methods among cybercriminals.

Among the fixes the critical vulnerability (MS09-062) exposes Windows XP and Windows Vista users to attacks that exploit the Graphics Device Interface (GDI+), a Windows component used to process image files that has been patched repeatedly over the past couple of years.

Microsoft has repeatedly had to fix problems related to the Graphics Device Interface in Windows and vulnerabilities in the component have been exploited broadly in the past. Security researchers will be looking to reverse engineer today’s patches, which may very well lead to exploits being created.

Zero day vulnerabilities
Of the 13 bulletins, eight are rated critical by Microsoft, the company’s highest risk rating. Five are deemed important, one notch lower on Microsoft’s severity scale. Nine of the vulnerabilities had been previously disclosed, allowing cyberattackers a way to break into Windows systems before the fix was available.

McAfee recommends that users install Microsoft’s patches as soon as possible. Home users should use Windows Automatic Updates while business users need to have a risk management strategy in place to prioritize the patches.

McAfee provides enterprises with endpoint and network based security technology as well as risk and compliance tools to shield against cyberattacks and allow organizations to patch on their own time. Last week we announced Risk Advisor 2.0, which well tell enterprises what risks they face and show what countermeasures to take for protection.

McAfee Labs Security Advisories provide detail on the coverage of McAfee products when it comes to Microsoft’s vulnerabilities. You can subscribe online.

There are lots of free anti-virus options out there, and consumers have voted with their wallets. Free is great for some who don’t mind piecing together various products that attempt to provide comprehensive protection like McAfee’s suites do. The majority of consumers are willing to pay for products that help keep them fully protected.

McAfee has developed security products that rate at the top in effectiveness for malware detection and have a complete feature set which protect consumers against today’s threats. We incorporate a multilayered approach to security to protect consumers against viruses, spyware, spam, phishing attacks, ID theft and provide safe searching and surfing capabilities.

Last fall, we added a cloud-based security called McAfee Active Protection. It offers consumers instant protection against new threats, even before a virus definition file has been created while Microsoft’s protection is outmoded, incomplete and ultimately inferior.

Meanwhile, Microsoft Security Essentials provides a basic feature set of antivirus and antispyware, which, while important, protect consumers from only some of the threats facing them today. Interestingly to note as well, consumers require a legal version of the Microsoft operation system, raising the question if Microsoft Security Essentials is an anti-piracy tool instead of a security product.

If you want a two-way firewall, you’d need to either change the settings of the Windows firewall or buy a firewall only product. And if you’re concerned at all about the spam you receive, you’d probably want a product that protected you from that annoyance. What about rootkit or phishing protection? Website safety ratings? Again, not in Microsoft Security Essentials.

The truth is that the reason the software security industry exists today and is a multi-billion industry is because of the flawed code within Microsoft’s Windows and browser; does Microsoft really have the credibility to solve security problems or protect its customers?

If you’re a numbers person, a recent AV-Comparatives report ranked McAfee with a 98.7% malware detection rating. The Microsoft product they tested (not the production released version of Security Essentials but the best one that they had when they tested last month) rated at 90% detection. That’s a big difference if you count on only your antivirus to keep you protected. If a product can’t detect the malware, it can’t keep you protected.

So, if free is your budget and you don’t mind it protecting some of your most valuable personal information, then Microsoft Security Essentials may work for you. However, there’s always a cost to free, and with McAfee’s years of experience solely focusing on solving security problems for consumers, then a product such as McAfee Internet Security is a much better choice!

The vulnerability affects all major versions of Microsoft Windows.  In just a matter of moments, attackers can gain total remote control of a system and install malware, keyloggers, and Trojans. A successful attack can lead to corrupted systems and stolen confidential data: intellectual property, credit card numbers, social security numbers, passwords, and more.  Within hours of the Microsoft patch release, public source code to exploit this vulnerability was distributed on the Web.  And, according to Microsoft, by the time the patch was announced targeted attacks had already begun.

Because of the extreme critical nature of the vulnerability, Microsoft recommended immediate deployment of its emergency patch without testing, hitting enterprises with a dilemma.  Should they immediately deploy the out-of-cycle patch and risk impacting or even bringing down production systems?  Or should they continue leaving their systems at risk to a critical vulnerability while IT security is testing the Microsoft patch. Either way, businesses are negatively impacted by additional patch management costs, associated business disruptions, and increased security risk exposure.

This incident reinforces the larger industry issue that companies require zero-day protection, especially during the window of vulnerability – the time between when a vulnerability is discovered and when the patch is deployed to protect the system. Relying solely on patch cycles and signature-based solutions doesn’t protect against unknown, zero-day attacks such as this one. With host intrusion prevention, IT teams can establish a more efficient, well-planned, and controlled patching process. Host IPS puts zero-day vulnerability shielding in place which allows IT staff time to analyze, plan, prioritize, test, and deploy relevant patches. 

While most security vendors struggled frantically to release new signatures for Microsoft’s vulnerability, McAfee customers using Total Protection for Endpoint (including McAfee Host IPS) were already protected. By using Total Protection for Endpoint, McAfee customers have comprehensive, layered security against this vulnerability through zero day protection rules already enabled by default.  McAfee customers apply Microsoft patches on their own schedule following their own procedures to significantly lessen patching costs associated with out-of-band patch cycles.

In fact, non-McAfee customers spent over $250 million to address the unplanned patch cycle. While companies scrambled to get protected and lost precious productivity resulting in lost profits, McAfee customers had peace of mind that their systems were protected at no additional cost. Furthermore, McAfee customers went on with business as usual while unprotected companies spent long hours and late nights to get protected.

It’s likely that this is the same flaw discussed by Cesar Cerrudo in his talk, “Token Kidnapping”, at the HITB Security Conference 2008 in Dubai. Cerrudo had discovered a privilege-escalation vulnerability earlier, and said in March, “Design weaknesses can be abused on Windows XP, Vista, Internet Information Services 7 and Windows Server 2003 and 2008”.

So what is known about this flaw? A malicious local user who has authentication could execute specially crafted code to raise his privilege level to LocalSystem. IIS and SQL Server are the main attack vectors. But other vectors are possible, such as Microsoft Distributed Transaction Coordinator (MSDTC) on Windows Server 2003.

While the vulnerability is limited to a local privilege escalation, IIS’s susceptibility is concerning. The Web server is widely used on the Internet, and is a top pick by Web-hosting providers. We might see Web-hosting providers targeted, and — this is scary -– their clients’ Web sites breached. As Microsoft stated in its advisory, “Hosting providers may be at increased risk from this elevation of privilege vulnerability.” However, no exploitation has been observed at this time.

The next Patch Tuesday is May 13. Sysadmins, please heed to Microsoft’s suggested workarounds for IIS until then -– or more to the point, until Microsoft patches this vulnerability.

Finally, a bit of speculation (hat tip to Kevin Beets). One attack vector for this vulnerability uses the SeImpersonateClient privilege. The MSDN page for privilege constants states:

Windows XP/2000: This privilege is not supported. Note that this value is supported starting with Windows Server 2003, Windows XP SP2, and Windows 2000 SP4.

Microsoft did not say that Windows 2000 or Windows 2000 SP4 are vulnerable. But curiously, they did say Windows XP SP2 is. If Service Pack 2 for Windows XP introduced this vulnerability in that operating system, might Service Pack 4 for Windows 2000 not have done the same for Windows 2000?