Why are so many browser flaws rated as critical?
To many people on the outside world, it's sometimes non obvious why such a big deal is made about the web browser. The story below highlights that an ad server was broken into and used to distribute malware.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9043418&source=NLT_AM&n
People usually think that if they're at a trusted site, such as their bank, a news site, or even some search engines., they are safe and they can let their guard down. The network of webservers have become very pervasive, and the line between sites continues to blur. As various sites start opening up public APIs, this line will eventually vanish completely. The web seems to be evolving into one giant squishy ball of putty, rather than lots of little ones. This in turn is creating an environment more dangerous for its users, with no clear fix in sight.
Virtualization is less secure
I ran across this posting to an OpenBSD mailing list the other day:
http://kerneltrap.org/OpenBSD/Virtualization_Security
Talk of security virtualization reminds me of the old saying about debugging by Brian Kernighan
Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it.
This is hard problem. I doubt the solution lies in writing golden code. It's more likely that technologies like SELinux are going to be far more effective than expecting everyone to write bug free software.
