As you may or may not know, every version of Windows from Vista onward contains a proprietary disk encryption tool, known as BitLocker. Baked into the operating system, it allows users to quickly and easily apply full-disk encryption to their hard drives, preventing attackers from gaining access to their data. At least…that’s how it was supposed to work.
Until recently, the encryption didn’t really amount to much.
It wasn’t that it was weak, mind you. Rather, it contained a critical security flaw, one which allowed any attacker with even a modicum of sense to easily bypass its protections and gain access to encrypted files. While that’s not really a huge issue for the average end user, it’s more than a little distressing from an enterprise standpoint.
“By setting up a fake domain server with identical name, the attacker only had to create a user account with a password created years in the past to trigger a policy-based password change,” explains ZDNet’s Zack Whittaker. “Once the user changed the password, they could log in to the PC using the password now set in its cache.”
Enterprise machines were most vulnerable to this flaw, according to Ian Haken, the researcher who originally uncovered it. Thankfully, the vulnerability – which doesn’t appear to have been exploited while in the wild – has since been patched out. BitLocker’s much more secure as a result, and Windows admins everyone can rest easy.
There’s a learning experience in this mess, and the lesson it provides is one that time and again I see rather bafflingly ignored by IT decision-makers and upper management alike.
I’ll just come right out and say it: if you truly value the security of your organization’s data, keep all of your software as up-to-date as humanly possible. You never know what critical vulnerabilities or minor glitches are lurking in older operating systems, waiting for a hacker to come along and exploit them. And in the case of vulnerabilities like the one uncovered by Haken, it’s even more important that you download any relevant hotfixes.
Now, it’s worth mentioning that you do have a bit of leeway here. In the case of minor patches and security updates, you’ve probably at least a few days’ time before it starts to become vital that you install them. Better yet, by waiting you can make sure that patch installation won’t break anything on your own system.
Of course, zero day vulnerabilities throw a wrench in the gears there, so to speak.
“Security experts will tell you that a zero day vulnerability is a big problem,” writes Make Use Of’s Justin Pot. “Essentially, these are flaws in software that no one knows about – meaning no one has developed a way to stop hackers and malware from taking advantage of them. Knowing about one of these vulnerabilities makes it easier to break in – it’s as if someone left their door unlocked.”
“Whenever software developers release a patch,” he continues, “hackers and malware developers look closely at it to see what it fixes. Through this reverse engineering, they can discover exactly how to compromise systems that aren’t yet patched.”
So…long story short, install patches sooner rather than later. If you fail to do so and your data winds up compromised, you have only yourself to blame.