By Ron Benvenisti (NYNJECTF (NY-NJ Electronic Crimes Task Force). PCs running Windows XP will not receive any updates fixing a bug in its widely used Internet Explorer web browser when they are released because Microsoft stopped supporting the 13-year-old operating system earlier this month. 15 and 25 percent of the world’s PCs still run Windows XP.
Microsoft disclosed on Saturday its plans to fix the bug in an advisory to its customers posted on its security website, which it said is present in Internet Explorer versions 6 to 11. Those versions dominate desktop browsing, accounting for 55 percent of the PC browser market.
Hackers have been exploiting the bug in a campaign dubbed “Operation Clandestine Fox.”
It appears that the virus is geared to gather a broad-spectrum of private data.
To protect against the virus, which uses the IE flaw, the short term solution is switch to another browser. Filters which use IE will not protect against the “Clandestine Fox”. This includes Microsoft Security Essentials and WebAllow. It is unclear whether any IE protection will work and no schedules have been released by third party Anti-Malware vendors for a fix as of this writing. The bug was announced on Saturday on Microsoft’s security website.
Microsoft said in the advisory that the vulnerability could allow a hacker to take complete control of an affected system, then do things such as viewing changing, or deleting data, installing malicious programs, or creating accounts that would give hackers full user rights.
The fix will only be applied to MS’ latest operating systems, Windows 7,8 and 8.1. Again Windows XP will not be patched leaving many businesses and individuals vulnerable to stolen, corrupted or otherwise seriously compromised data.
Local Troubles
As a HIPPA Business Associate, and PCI compliance officer, this writer reports that systems that are still running XP beyond the support cutoff date (which has passed) will be cited for non-compliance and can be levied with hefty fines as well as dropped from their insurance companies.
The hacker community is in a feeding frenzy to launch similar attacks before Microsoft prepares a security update
Windows XP users will not benefit from that update since Microsoft has just halted support for that product. This will have disastrous effects on many businesses running XP, particularly small health providers and small businesses who have not upgraded from XP. Both MediCare and MediCal will be scrutinizing providers and CMS will not accept transactions from vulnerable systems. Compounded by the woes of the Affordable Health Care Act which have already made a dent into Physician’s bottom line and availability pose a real threat to the viability of their business and their legal responsibilities both to patients and third-party services such as CMS.
Microsoft advises Windows XP users to upgrade to one of two most recently versions of its operating system, Windows 7 or 8, however this can be an expensive and onerous task for not only healthcare providers but for any business running XP (with IE) that processes personal information such as credit cards. The Payment Card Industry (PCI) will fine non-compliant businesses and suspend their ability to process Amex, Visa, MasterCard and Discover cards.
Footnote: Although there have been more advisories coming from our politicians and Law Enforcement Agencies lately, these topics have already been discussed and reported in TLS, months and even years prior. I suggest searching for “Benvenisti” (without the quotes) in the TLS search bar for proven methods to deal with those advisories.
Any requests can be directed to me via TLS. Include TLS Security in the subject line with your contact information.