Each of these applications has plugin architectures and inadequate security models. Actually, IE 7 + Vista is a good model, but it will take 3 years for it to hit wide enough deployment.
Technorati Tags: Adobe Acrobat, Apple, Internet Explorer, Microsoft, Adobe, QuickTIme
Remember the good old days when vulnerabilities would just affect one platform? Back when there was NO WAY my Commodore 64 could be infected by your TRS-80?
It looks like there is a targeted attack going on (where a virus is created and only sent to specific targets so the antivirus companies don’t notice it). It takes advantage of a flaw in older versions of Microsoft Excel. Microsoft’s advisory is here.
It’s not the kind of thing most of you will have to worry about unless you become the target, but I’m always interested in 0day attacks and cross-platform vulnerabilities.
More from Brian Krebs and the Microsoft Advisory:
According to Microsoft’s security advisory, this vulnerability affects Microsoft Excel 2003 Service Pack 2, Microsoft Office Excel Viewer 2003, Microsoft Office Excel 2002, Microsoft Office Excel 2000, and Microsoft Excel 2004 for Mac. People who are using Microsoft Office Excel 2007, Microsoft Excel 2008 for Mac or have installed Microsoft Office Excel 2003 Service Pack 3 are not affected.
Technorati Tags: 0day, Apple, Excel, Microsoft, Vulnerability, Targeted attack
I know this is going to sound intensely weird, or somewhat disturbing, but I’m fascinated by how we treat software as a product. It’s kind of a mashup between content like movies and music, which we sort of purchase, but are really just licensing to use, and “hard” products like TVs, hammers, and decorative toilet paper dispensers. Most software companies just sell us a license to use their product, with all sorts of onerous (and potentially unenforceable) restrictions is what we politely refer to as “End User License Agreements”, or EULAs. We only call them that because “Non-Consentual Ass Fuck” doesn’t have as legitimate a ring to it.
But there’s a HUGE difference between software and media. Media is passive- we read it, watch it, and listen to it, but it doesn’t affect anything else it touches. A bad book doesn’t screw up your library, and a bad CD doesn’t ruin your CD player. Software, on the other hand, deeply affects our work and personal lives. We install software on systems running other software, and one bad error in one little program can ruin our entire system, corrupt data in other applications, or even damage hardware.
Because software is so different than other products, it exists, in essence, in a state of perpetual recall. A sizable portion of the technology industry is dedicated to pushing updates to our software. In some cases these updates change functionality, adding new features. In other cases these updates fix security or other product flaws. For a media file it would be like buying the original Star Wars on DVD, then later updating it will all the improvements Lucas made like emasculating Han and having Greedo shoot first. For physical products it would be like plugging my DeWalt compound miter saw into the wall to add a variable speed feature, or to extend the length of the finger guard.
This is an intensely new way of buying, selling, and owning products. One I’m not convinced we fully understand the implications of yet.
Let’s turn back to software, keeping in mind that many products today, from MP3 players to phones, now ship with updateable software. As I mentioned before, we tend to lump updates into two categories:
Ideally these updates benefit the customer by improving the product, but in some cases the update goes in entirely the opposite direction. Vendors can even use updates to deliberately remove functionality you paid for. Take a look at the Pioneer Inno; its FM feature to listen to XM radio using your car stereo was completely removed during a software update (Pioneer forgot to get FCC approval).
We thus have two situations we’ve never really encountered before in the world of buying and selling stuff.
This is a powerful change to the concepts of product ownership and customer relations and comes with certain responsibilities. Over the past few weeks we’ve seen two of the biggest technology names in the world totally muck it up: Microsoft and Apple.
One of the cardinal rules of software updates is that you never force an update. The change you’re pushing might change vital functionality, and, to be honest, it isn’t your right to change my system. That’s called cybercrime. It appears Microsoft messed up and pushed out a “stealth” update for the Windows Update feature of Windows XP. This update installed itself even if you told Windows not to install updates. Worse yet, it essentially ruined the Windows Repair function of the system. Press aside, Microsoft probably opened themselves up for some lawsuits.
Another rule (probably more of a best practice) is that you should separate security and functionality changes in updates. This is something Microsoft generally does well these days (except for Service Packs) and Apple does extremely poorly. Security and other flaw updates should be separate from functionality updates because while a user may not want to be hacked, they might not want to change how their product works to be safe.This would be like turning in your car for a recall around a defective airbag and having the speedometer changed from miles to kilometers as a “bonus”.
Apple updated the iPhone with critical security updates, but these updates are bundled with serious functionality changes. Thus if I don’t want a little Starbucks logo to appear on my phone every time I walk past one, I have to leave myself vulnerable to attack. Nice one Apple.
I really do think we’re redefining the concept of ownership, and the privacy advocate in my is worried things are swinging in the wrong direction. Device manufacturers are practically engaged in an all out war with their own customers, and most of it is driven by the content protection requirements of the media industry.
Here are a few recommendations when dealing with software updates:
Or to be a little clearer- don’t force updates, don’t take away functions, tell people what you’re doing, and don’t break anything else.
Over at the Network Security Blog, Martin’s been doing a great job of putting the CISSP certification (Certified Information Systems Security Professional for you non-security-geeks) in proper context.
I’m not the biggest fan of the CISSP any more; I think it’s outdated and commoditized. It’s no longer the gold standard of security certifications because the world around it has changed too quickly. These days, there’s no “single” security career track, and the CISSP is diluted from attempting to remain the One Ring that Certifies Them All.
Not that it’s worthless. It can give a new security prospect a reasonable grounding in some of the basics. But where it used to be a Master’s (or maybe Bachelor’s) degree, it’s now a high school diploma.
About 4 years ago we didn’t have many CISSPs on our team at work, and my boss suggested I give it a shot for some professional development. I took one of those week-long intensive courses, and walked out realizing that taking the test would be, for me, a waste of time. Not that I didn’t learn anything, but I’d obviously hit the point in my career where it wouldn’t give me any advantages. I wasn’t going to learn anything else by preparing for the test (except how to pass the test), and I was in a position where the CISSP after my name wouldn’t make a difference for any job I’d ever apply for.
If you’re just getting started, or need it for the resume, a CISSP still has some value. In some places we’ve hit the point where not having it is more of a career obstacle than boost. That doesn’t mean it will help you do your job better.
Which is sad.
Edited: Almost missed Rothman’s comments on the subject; one on-point paragraph instead of my drawn out story. Sigh.
I love Mythbusters; and before every show there’s the obligatory warning, “Don’t try this at home. We’re what you call professionals”. Which is really disappointing since I now have no idea what to do with the 500 lbs of explosives, the crash test dummy, and the balistics gel sitting in my garage.
This morning Martin reminds me that I’m a bit of a professional myself. As mentioned in this post, I’m running Vista and an XP machine without any antivirus. And as kwismer pointed out in the comments, Vista isn’t completely immune.
I can only do this because I’m a highly educated user, only taking risks for myself, with a strong track record of never being infected. History, experience, and training allow me to take actions that are high risk to someone without my background. It’s the same as my rescue activities- the odds of me getting hurt while snowboarding some 300 lbs behemoth in a plastic sled down a black run are smaller than the odds of you blowing a knee on a blue run. Actually, the odds of me fracturing my shoulder while flying down a solo bump run are much higher than if I was doing the same run with a patient strapped in a rig behind me.
Know your own risks and make your own assessments; and if you don’t have the skills to even do that accurately, always err on the side of caution. And never place others at risk even if your personal risk is low.
Don’t be an idiot. I’m a professional.
I’ve been running my eval copy of Vista (as a virtual machine) for a couple of weeks now and it’s a strange feeling. No, it has nothing to do with the new user interface (most of which won’t run in my virtual machine anyway), User Account Protection (UAP), or any of the new features.
It’s because I’m running without any AntiVirus running. At all. And I can’t, for the life of me, think of any reason to install it yet.
It’s there. This little zip file sitting on my desktop trying to tempt me into releasing it from the confines of its uninstalled bundle. It calls to me as I sleep, whispering fears of sending Office macro viruses to my family or being unprepared as that just-detected 1-day worm wheedles its way past my firewalls into the heart of my OS. But I resist the temptation as I banish the file to the depths of a subdirectory. Waiting to be called upon when needed, but imprisoned in the bowels of my file structure until the most desperate of times.
As someone who practices safe email and browsing habits I often wonder if I need desktop AV at all. I don’t run it on my Mac and I don’t run it on my XP Home PC (that isn’t ever used for email or inappropriate browsing). I only use it on my corporate desktop, where it’s never found anything despite destroying my system performance every Wednesday at lunch, and I’m well protected with our email server AV (which is definitely necessary).
Thus there’s no reason to run it on an OS for which there isn’t a single known worm or virus. It’s not like signature-based AV will catch any of the rumored 0days floating around, and my generally safe browsing habits limit my exposure anyway.
I’d consider this feeling of freedom strange if I haven’t been experiencing it on my Mac for the past year. Now you Windows users can know what freedom really feels like.
At least for now…
I wasn’t planning on writing about this, but with the release of a third unpatched MS Word vulnerability it’s time to be extra careful.
I’m assuming this will be patched soon, but for now I’d limit yourself to only documents you are darn sure are safe. I’d tell you to stop using Word, but that’s just silly and unrealistic.
Just be safe, okay?
I’m about to tread, yet again, on religious ground.
John Gruber, attacking an eWeek article, incited a response by Tom Ptacek over at Matasano. I suggest you read those articles, especially the Matasano response, because they highlight very clearly some of the technical differences between OS X and Windows Vista.
I’ve been spending a lot of time, we’re talking a year or two, trying to decide if OS X is inherently more secure. I’m not a vulnerability researcher or OS developer, so I can’t dig in like Ptacek, but as an analyst I’m pretty good at weeding through the BS and I’m geeky enough to know what I’m talking about.
OS X is more secure than my XP PC, but Vista changes everything. This is not your usual Windows.
Tom’s response to Gruber focuses on Windows Vista, but Tom could have explained that more clearly. Gruber probably hasn’t hammered on a recently-released, barely-production-deployed OS so his arguments are tailored towards Vista. I think all the pundits need to be clear about which OS versions they are talking about. To a very real degree they are debating around each other- Tom focusing on Vista, and John on XP. This was something I was planning to write about after I got my hands on a non-beta copy to play with, but Tom beat me to the punch.
OS X is more secure than XP for a variety of reasons, including the user account model, lack of SYSTEM, quiet network profile, some core code signing, and so on. That said, OS X was not designed with a secure development lifecycle, and does not include the advanced security features shipping in Vista. Not that Vista is perfect, but there are clear indications that the game may have changed. (And yes, I’ve simplified a lot)
I’m just running off other’s evaluations, so take it or leave it, but the hard-core researchers I know all tell me Vista is not the MS software we’re used to. Everything from the browser, to the kernel, to the programming languages used to build applications is significantly improved. And I haven’t even mentioned all the new security features, like a real 2-way firewall, PatchGuard, and so on. Will it all work? I don’t know, but I do know those who have hacked away at Vista come away impressed.
So is Vista more secure than OS X? I think so, but we’ll still see more malware for Windows for a long time to come. And Apple has plenty of time to take some of the same security steps. Heck, with less ties to legacy applications Apple could probably jump ahead if they put their minds to it. Vista might see life on my Mac, but replacing my XP virtual machine.
But with Vista now released we all need to be clear about which operating systems we’re discussing. On paper Vista has more security built in at a more fundamental level than OS X. But Vista is brand new, and we’ll have to watch the world kick the tires for a while. Apple needs to respond with similar features, where needed, if they are to compete in the security game. If they want to.
The truth is, security is still not a major factor in most people’s OS choice. I’m sitting here saying I think Vista is more secure, but I don’t plan on switching off my Mac. Security is about being “good enough”. As the major target for attacks, “good enough” for Windows is significantly higher than “good enough” for Macs. Until Apple sees the same kinds of exploits on the same scale there will be little motivation for them to invest so deeply in security.
The game isn’t over, but it’s definitely a different game than just a few weeks ago.
An unpatched vulnerability being exploited in the wild.
When I’m on a Windows system (I run it virtualized on my Mac for work) I tend to use multiple browsers since even Firefox has issues at times.
I even do this on my Mac- running Firefox and Safari, switching between the two depending on where I’m going.
But at this rate I’m going back to Lynx.
(And if you go to “those” sites do yourself a favor and only browse from a virtual machine you reset after every use).
Arthur over at Emergent Chaos posted an amusing story on an organization’s reason for switching to Macs.
It’s security. Just not necessarily what we mean when we say Macs are more secure.
Yes- this company installed Windows on Intel Macs since Macs are more secure. We’re not talking virtualization or anything, but taking off OS X and installing Windows XP.
I really never thought of that.
(updated: direct link to the original story at deadbeat cafe)
