Anyone see a game changer here?
James Hess
mysidia at gmail.com
Fri Jan 22 05:19:38 UTC 2010
On Thu, Jan 21, 2010 at 9:52 PM, Gadi Evron <ge at linuxbox.org> wrote:
> On 1/15/10 5:52 PM, Steven Bellovin wrote:
..> 2. Is Microsoft, while usually timely and responsible, completely
> irresponsible in wanting to patch this only in February? While they patched
> it sooner (which couldn't have been easy), their over-all policy is very
> disturbing and in my opinion calls for IE to not be used anymore.
It is not as if there are a wealth of alternatives. There are still
many cases, where IE or MSHTML components are a pre-requisite, to
access a certain product that is important to the user. A
canonical example, would be:
Intranet apps, web-managed routers, switches, firewalls, or other
network infrastructure that can only be administered using MSIE
version 6 (ActiveX control, or old HTML relying on IE features) --
probably devices with old software.
Mail readers such as Outlook with MSHTML components embedded.
..> 3. Why are people treating targeted attacks as a new threat model? Their
> threat models are just old. This we discussed here.
It's an old model that could have fallen into some measure of disuse.
Targeted attacks are possibly riskier to launch than randomly
dispersed attacks, and require an insider or more determined
attacker who can effect social engineering in the right place; the
result is they are rarer.
Intuitively, hardly any user thinks they can personally be subject
to a complex targetted attack penetrating multiple security layers and
requiring obscure enterprise-specific info.... until it happens...
because people assume complexity of the required attack, and
'security software' such as Antivirus lead to a high level of safety,
without ever having a logical or statistically rigorous basis for
arriving at the assumption.
Perhaps there were so many non-targetted attacks, that the idea of
"targetted attack" was drowned out of the security dialogue and
forgotten by some.. or there was a mistaken belief that the
targetted attacks automatically get stopped by the firewall and
mod_security...
--
I believe 3 to 4 weeks is par for the course, with most major
software manufacturers, even for a patch to a critical security
issue...
It is really impossible to make a reasonable assessment on
Microsofts' response based on just one event (where in fact, they
pulled through).
I don't perceive that Microsoft have any solid history of being more timely or
more responsible, than other vendors. In most cases, they have
released patches soon after a serious advisory was made public, but
the date the vulnerability was first discovered and reported to
Microsoft, is not disclosed in the advisory or patch too often, that
I saw. As I understand: a vulnerability might have first been
reported to MS months or years before they released a patch or even
acknowledged there was an issue, in some cases. Sometimes they even
advise, but say there will be no patch (e.g. Windows XP and
MS09-048 ).
A "true" zero day like the recent one, where the exploit is in the
wild and in use by blackhats prior to the vendor even being aware of
a possible vulnerability, is a different animal, than routine
security patches (even ones listed as critical or high-priority).
Because (no doubt) it requires some strong measure of analysis first
to determine what code is being exploited, in addition to the normal
steps involved in fixing a hole.... e.g. determining what the
actual possible bug(s) are, and how to fix, without probably
introducing new ones, or missing some conditions.
--
-J
More information about the NANOG
mailing list