Security Week in Review (2006-12-31)

Sunday, January 7. 2007

Security Week in Review (2006-12-31)

It's been quite some weeks since I published a week in review post. The holiday season was mostly quiet, which was wonderful in general.

Mozilla
The most notable thing I found worth mentioning over the holidays was a security update of the Mozilla products. The pace at which the Mozilla project releases can be trying at times, but after reading Internet Explorer Unsafe for 284 Days in 2006 and reflecting on the matter, I think the quick pace of updates from the Mozilla project is the right thing to do. All web browsers have bugs, the horrible complexity along with the new features added to the browsing experience mean that the number of security flaws probably won't be decreasing in the near future. By sitting on security flaws, even embargoed flaws, users are placed at an unneeded risk. There is a great deal of well known interest from the computer underworld in browser exploits. There is no excuse for not fixing known flaws.

Opera
Opera patched in secret. It seems that the Opera folks tried to sneak in two critical fixes without telling anyone. The Opera 9.10 changelog doesn't note that there are any substantial security fixes in the update, but it seems they fixed two critical flaws.

I initially thought about commenting on this event as a plug for open source software and its transparency, but I then got to thinking about what would happen if Mozilla did this. It's likely nobody would really notice as there is often hundreds of bugs fixed in any given Firefox release. I think this more a matter of accountability. Opera is a company that is trying to make money. It's in their best financial interest to not have security flaws in their products. They probably think they have something to gain by quietly fixing security flaws, which I'm certain they've changed their minds after the bad press they're getting for this. I would be surprised if security updates affect the Mozilla Foundation revenue stream in any way. It's more likely that the brutal honesty of the Mozilla project regarding security flaws is proving to be positive. When there is a new Firefox release, it's mostly a non story as everything is out in the open for anyone to look at. There's no sneaking around happening that makes a good story.

OpenOffice.org
Speaking of sneaking around, it seems there was some thought that the recent OpenOffice.org update was a bit sneaky. There was bit of attention brought to this issue since the bug was reported in October, yet the full extent of the flaw wasn't known until January 2nd. I will admit that the issue could probably have been handled better, but the upstream project wanted to keep the details under wraps until they had a chance to release version 1.1.5. That's pretty much the story, it's not terribly exciting.

Various Thoughts

I ran across this story the other day: Poll: Most Consumers Don't Trust Their Security Software. A quote from that story has me rather bothered

"It's also our job to regularly communicate with our customers regarding their level of security, in a way that is meaningful to them, so that they know how secure they are."

When you're handling security for an end user, they are either secure or not. It's not a scale, it's a boolean value. I often wonder if this is where most of the high profile security vendors have gone astray. They now spend more time justifying their security solutions than just making a high quality solution that just works.

This article has me wondering: Rift Widens Over Bug Disclosure. While these month of whatever projects can cause me a bit of pain, so far they've been pretty easy on the open source world. I'm always glad that there are people investing time into security research, but part of me thinks not alerting the vendor in any way isn't right either. I can understand going public with a flaw after a reasonable period of time, but just blindly hitting vendors with a bug a day for a month is a bit harsh. I think the best way for me to justify this is to ask what I would do in such a situation. If I knew of 30 bugs, each of which have security potential what would I do with them? I'm confident I wouldn't blindside vendors with them. How to report that many flaws could present a challenge though. I suspect the real culprit here is researchers looking for their 15 minutes of fame. If a researcher reports that many bugs responsibly and have their names plastered over many security advisories, they could be in store for far more than 15 minutes of notoriety.

Well, that's all for this week. See you next time.

Posted by Josh Bressers in Security Week in Review at 22:00 | Comment (1) | Trackbacks (0)

Trackbacks

Trackback specific URI for this entry

No Trackbacks

Comments

Display comments as (Linear | Threaded)

What's this "either secure or not secure" thing?

Are you talking about emotional security?

;-/

While I totally disagree with those who argued that MSW95 was secure enough because most of the people who knew how to find the open shares over the internet were too busy to bother with ordinary users (and other such conceits), the truth is that security is not absolute. Computers or otherwise, there is no absolute security in the real world. The only thing we can do is raise our security levels high enough to discourage the potential attackers. That and not leave bait lying around.

The only binary level of security achievable is that provided by MSWindows. One reason that is so low is that Microsoft has depended far too long on good will, leaving far too much bait around. Even if they could fix their dev process for real, the momentum would leave them as the prime target for years.

The prime target effect is real, it just is not the primary reason for Microsoft's present high leakage rate.

That notwithstanding, the mistake in claiming that Microsoft's problems are due to their prominent position in the market is (while also being a reversal of cause and effect), that the assertion assumes a future time when Microsoft will have actually fixed things, and assumes the future is now. (As long as they talk about Trusted Computing or whatever the name of the hour is, we know they haven't fixed the real problems.)

And the real problem in talking about levels of security is that the lack of absolute is too often used as an excuse for failing to secure one's systems sufficiently.

#1 Joel Rees on 2007-01-10 06:23 (Reply)

Add Comment

Name
Email
Homepage
In reply to
Comment	Enclosing asterisks marks text as bold (word), underscore are made via _word_. Standard emoticons like :-) and ;-) are converted to images. To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly. Enter the string from the spam-prevention image above: BBCode format allowed
	Remember Information? Subscribe to this entry