Ubuntu Upgrade Day: 11.04 – 11.10 ‘Oneiric Ocelot’

Yay! My favorite Linux distro gets a facelift today with Ubuntu 11.04 making way for the newly released version 11.10 ‘Oneiric Ocelot’. From past history lessons, I do tend to stray on the side of caution, so only one of my machines will be getting the upgrade treatment this week and I’ll hold off with the others until any post update issues shake out.

For those who haven’t given Linux a try yet – I’d strongly suggest giving Ubuntu a go – it has a nice interface and can be skinned to look and feel quite similar to some of the other major operating systems you may already be familiar with. Follow this download link and grab the file.

If you just want to kick the tyres and have a quick look, there are some easy to follow instructions on the download page for making a ‘Live CD’ or a bootable USB stick that you can drop into your current machine and check out.

For those already running Ubuntu, upgrading is as easy as following the instructions on this page, or by entering the command:

update-manager -d

from a terminal window (or from a command via <Alt> + <F2> ). At the time of writing, the update files hadn’t made it to the New Zealand servers so you may want to hold off a little, or change your region under the ‘Settings’ option.

Good luck, enjoy (and don’t forget to make a backup of your data files BEFORE you start…)

The best exploits are old exploits

Image Credit: "Old school" from Clothesline - NZ Clothing and Design (BUY THE TSHIRT)Last week I had a really interesting meeting with one of the Security Advisors from Microsoft prior to the release of their Security Intelligence Report (SIR) – Volume 11.

While we were specifically discussing different things in this meeting, one of the side conversations came back to the issues surrounding legacy software and it’s ongoing support and there’s some really interesting numbers making up the latest analysis of exploits being leveraged against the systems Microsoft monitor in creating these reports.

While “zero-day” vulnerabilities are the things making the news (at least in the industry press), they accounted for less than 1% of malicious activity.

One of the more worrying stats for me was the leveraging of exploits where updates were available. Around 6% of incidents were exploiting issues for which a vendor had already released an update to fix. Further to this, 3.2% of the overall incidents were for issues resolved more than a year ago! The reality is, people are simply not updating their software and I’m really not sure where the problem sits.

Given the author of the study is Microsoft, it’s safe to assume that the measurements are against Windows based systems – these systems have had Operating System and Application updates built in to it’s default operation for many, many years now – however I still come across machines ‘in the wild’ with update indicators sitting right next to the system clock on the task bar, simply begging to be clicked so that the machine can be updated. The patches are set to download by default, they come from very well distributed file caches so the downloads are as fast as possible – so why are they not being applied? This phenomenon is not isolated to home PCs where the owner may not know why (or how) these patches should be applied, it’s also apparent in managed environments such as corporates and schools.

Before anyone starts to feel too comfortable because *you* have your operating system all up to date, it’s not just the base system which is under attack. Even as far back as 2009, these SIR reports were demonstrating that;

“Around 90 percent of vulnerabilities during the second half of last year were in applications…” – DarkReading / Microsoft SIR, April 2009

And that trend (though, perhaps not that percentage) continues today. In fact, it is the applications which users are loading on to their systems which are bringing with them the vulnerabilities from which the malicious are launching their attacks. We see this in the additional functionality vendors are inserting into base operating systems on phones, we see it in application software which destroys the myth that certain platforms are invulnerable. even to the point where helpdesk staff representing the company were specifically prohibited from assisting customers (a position they later reversed).

So – what does one do in the face of these threats? Do we rely on the background downloading and patching of our systems, or do we take an active stance in protecting our machines, choosing what and when to apply updates – just in case “something weird” happens?

But, gentle reader, the greatest threat to the integrity of your system is not it’s operating system, it it not the applications you have installed, it is something even harder to ‘update’, something that will not be ‘patched’ on a regular basis from a central source… the greatest threat, the threat responsible for almost 45% of the attacks analysed in this latest Microsoft SIR – is you and I. We of the “between the keyboard and the chair”, us of the “Layer 8 in the OSI model”, the wet-ware, the users. But trying to resolve that threat vector is fodder for perhaps another article at another time.