On Thu, Jan 21, 2010 at 9:52 PM, Gadi Evron <ge@linuxbox.org> wrote:
On 1/15/10 5:52 PM, Steven Bellovin wrote: ..> 2. Is Microsoft, while usually timely and responsible, completely irresponsible in wanting to patch this only in February? While they patched it sooner (which couldn't have been easy), their over-all policy is very disturbing and in my opinion calls for IE to not be used anymore.
It is not as if there are a wealth of alternatives. There are still many cases, where IE or MSHTML components are a pre-requisite, to access a certain product that is important to the user. A canonical example, would be: Intranet apps, web-managed routers, switches, firewalls, or other network infrastructure that can only be administered using MSIE version 6 (ActiveX control, or old HTML relying on IE features) -- probably devices with old software. Mail readers such as Outlook with MSHTML components embedded. ..> 3. Why are people treating targeted attacks as a new threat model? Their
threat models are just old. This we discussed here.
It's an old model that could have fallen into some measure of disuse. Targeted attacks are possibly riskier to launch than randomly dispersed attacks, and require an insider or more determined attacker who can effect social engineering in the right place; the result is they are rarer. Intuitively, hardly any user thinks they can personally be subject to a complex targetted attack penetrating multiple security layers and requiring obscure enterprise-specific info.... until it happens... because people assume complexity of the required attack, and 'security software' such as Antivirus lead to a high level of safety, without ever having a logical or statistically rigorous basis for arriving at the assumption. Perhaps there were so many non-targetted attacks, that the idea of "targetted attack" was drowned out of the security dialogue and forgotten by some.. or there was a mistaken belief that the targetted attacks automatically get stopped by the firewall and mod_security... -- I believe 3 to 4 weeks is par for the course, with most major software manufacturers, even for a patch to a critical security issue... It is really impossible to make a reasonable assessment on Microsofts' response based on just one event (where in fact, they pulled through). I don't perceive that Microsoft have any solid history of being more timely or more responsible, than other vendors. In most cases, they have released patches soon after a serious advisory was made public, but the date the vulnerability was first discovered and reported to Microsoft, is not disclosed in the advisory or patch too often, that I saw. As I understand: a vulnerability might have first been reported to MS months or years before they released a patch or even acknowledged there was an issue, in some cases. Sometimes they even advise, but say there will be no patch (e.g. Windows XP and MS09-048 ). A "true" zero day like the recent one, where the exploit is in the wild and in use by blackhats prior to the vendor even being aware of a possible vulnerability, is a different animal, than routine security patches (even ones listed as critical or high-priority). Because (no doubt) it requires some strong measure of analysis first to determine what code is being exploited, in addition to the normal steps involved in fixing a hole.... e.g. determining what the actual possible bug(s) are, and how to fix, without probably introducing new ones, or missing some conditions. -- -J