Patching of Windows-based systems is a job that has to be done even on patient-care medical equipment, as our story this week on hospitals points out. Unlike most places of work, IT administrators in clinical settings can't simply apply a patch once Microsoft makes it available. They have to wait until the medical-device manufacturers tell them they can apply it or the manufacturers may insist on applying the patch themselves to the equipment. And they can't run anti-virus on this equipment without permission either.
This is a very tough set of circumstances to work under, compounded by the fact that several IT administrators tell us the medical equipment vendors are often very tardy about patch management - even a year late. Sometimes late means never. This tardiness puts patient-care medical systems at higher risk of computer worm infections than they should be.
We could only get one medical equipment manufacturer - GE Healthcare - to respond at all to questions. Philips Medical Systems and Siemens Medical Solutions were in the bunkers this time, but we hope they'll speak out on this important issue raised by our readership of IT professionals. It was those who work to make hospitals safe who shared their experiences with us. And the U.S. Food and Drug Administration, which regulates patient-care medical equipment, also showed insight and concern about the patch-management situation in discussing it with us.
What remains is for the medical-device manufacturers to bite the bullet and improve patch-management if they want to build systems based on Microsoft, which has a history of doing a lot of patching.
Speaking of Microsoft, that makes me wonder when the public will get that software patch Microsoft says we need for Internet Explorer after the 'zero-day' attack from the Russian hacker gang that was discovered the week of June 21st.
That attack, linked to a Web site in Russia that Russian anti-virus company Kaspersky Labs tells me was associated with the "HangUp" cybergang, hit a number of Web sites based on Microsoft Internet Information Server 5.0, including those run by the Kelley Blue Book, MinervaHealth, Inc. and Mwave.com.
This Russian cybergang managed to break into several sites - exactly how is still under investigation in some cases, though lack of adequate patching is getting blamed in some instances. At any rate, the Russian cybergang adroitly added a malicious JavaScript to alter the compromised server's configuration. The JavaScript-based attack, which appears to exploit a new vulnerability in the Internet Explorer browser, allowed the group to capture the victim's personal data when the victim visited the compromised Web site.
Security experts call this a 'zero-day' attack, which means the attack exploited a software hole before the vendor community knew about it and could provide a patch.
Microsoft has taken to calling this specific Russian gang attack the "download.ject" attack. It's been determined that download.ject was not a computer worm but rather "a targeted manual attack," according to Microsoft. Microsoft says it worked with Internet service providers and law enforcement to shut down the originating point of attack in Russia on Thursday June 24.
However, the issue of patch management of the Internet Explorer browser remained unresolved as of last week. Microsoft said customers running Windows XP SP2 release Candidate 2 were protected from the threat. But what about everyone else with an IE browser?
Well, Microsoft said you should "utilize high security settings" which means cutting down on the functionality of the browser. The Redmond giant also says it's still working on the patch for the "download.ject" problem.
"A comprehensive fix for all supported versions of IE is under development and will be released once it has been thoroughly tested and found to be effective across a wide variety of supported versions and configurations of IE," promised a Microsoft spokeswoman.
Microsoft is making information about the issue available here.
Post a comment
|
Does Verizon's Voyager stack up to the iPhone? |
5 IT skills that won't boost your salary 
[1,407]
Women 4 times more likely than men to cough up personal info [589]
Japan's 10 funniest tech-related commercials [Videos] [407]
Throwing away a promo CD is "unauthorized distribution"? [1,265]
Adults too quick to dismiss educational video games [682]
Attack of the iPhone clones [Slideshow] [578]
10 things IT needs to know about AJAX [1,258]
This Year's 25 Geekiest 25th Anniversaries [Slideshow] [409]
Network World on Twitter: Get our tweets and stay plugged in to networking news