In the last couple of days, a widespread Linux vulnerability known as GHOST has been receiving a lot of attention in the security community. In theory, this vulnerability can allow an attacker to remotely execute code on a Linux computer. There is already proof of concept code that puts this theory into practice, and it is expected that real world attacks are just around the corner.
The Sophos product teams have been thoroughly investigating to determine which of our products are affected and what is necessary to address those that are.
In the light of the recent Bash vulnerability known as “Shellshock” (CVE-2014-6271 and CVE-2014-7169), here’s the reality instead of the hype.
Shellshock is a newly-discovered vulnerability in Bash (the Bourne Again Shell), one of the most commonly used shells on Linux, UNIX and OS X.
Although it can be exploited in some cases, the good news is that not all implementations can be exploited, and only certain services and applications allow a hacker to exploit this issue.
We may yet be accused of “going on” about the recent retirement of XP, but we feel justified in doing so as any systems you have that are still running XP will become more vulnerable over time.
Last week we saw a reminder that Oracle will not be issuing an update to Java on XP on the 15th July when it releases its regular update.
When we asked SophosLabs what they thought about Java on XP and the change in support status, they said that Java had been hard work even for supported operating systems – and so with no support for Java on XP there was no prospect of it getting any better.
For many of you, Microsoft has retired your favorite operating system, XP. I say favorite since about 20% of the Windows PCs out there are still running some variant or other of XP, from Home through to embedded, and we don’t see that changing any time soon.
The vast majority of customers will by now have swapped out the systems where they are using XP as a standard desktop for something newer – probably Windows 7 or 8. Those that haven’t are possibly unaware of the risks or else have some kind of bespoke application installed that means that they cannot easily move to a later operating system.
The fact is that XP will no longer get updated (Microsoft released an update for IE including in XP after the end of support, but is not likely to do so again). Perhaps it will be seen by some as not important enough to warrant the investment in change. However, PCs now running XP are at a greater risk than ever of compromise – despite Sophos and other security vendors continuing to offer protection against malware.
In order to make our endpoint products even easier to use, we have simplified the subscriptions in our on-premise management console (SEC) to make using Sophos engineering more efficient. Now, we will no longer be releasing all of our endpoint products together on a monthly basis.
Instead, we are separating the product and security updates and will deliver Windows, Mac and Linux individually, with more frequent security data updates, and less frequent software changes.
We’re sending more direct communications to our customers and partners over the coming weeks. In the meantime, you can take a look at a new set of knowledgebase articles that explain the changes and how things will work from now on.
Microsoft announced on January 15th that it will extend updates to its anti-malware for Windows XP for another year. But as our security experts explain, the underlying facts of Microsoft’s planned retirement of XP in April have not changed, and you should still upgrade as soon as possible.
Once Microsoft officially ends support for XP on Patch Tuesday in April (the last security update for XP), there will be no new security updates, non-security fixes, assisted support options, or online technical content updates from Microsoft.