Security is an Industry Problem

Article
05/09/2005

The information published in this post is now out-of-date and one or more links are invalid.

—IEBlog Editor, 21 August 2012

I've received enough questions in email from different people about a recent vulnerability in another browser that I wanted to post something here.

I think the best place for the facts is with the people responsible for the browser. I say this based on the number of articles I read that misrepresent issues in Windows and IE.

I also think that security is an industry-wide problem. It's not limited or unique to operating systems or applications, or client or server software. It's not limited or unique to commercial software or open source.

The only us versus them distinction I want to make around security is to put responsible software developers, security researchers, and customers together as "us" and malicious (whether it's intentionally or not) software developers, security researchers, and their customers together as "them."

Today, I see a tremendous amount of talent and intelligence applied to breaking or repurposing software. Some of that is positive and responsible. I've listened to and worked with security researchers I would describe as brilliant with no mitigating clauses. They are also responsible. They've worked with us to point out how we can build better software.

I don't know what to say or do about "them." I think some of what we can do is help legislators and law enforcement understand what's at stake in a constructive way. I want to know what else you think we can do about the malicious behavior we find on the Internet.

Dean

Comments

Anonymous
January 01, 2003
<a href="http://aves.superturks.org/buy-xanax.html">buy xanax</a>
<a href="http://aves.superturks.org/generic-xanax.html">generic xanax</a>
<a href="http://aves.superturks.org/order-xanax.html">order
Anonymous
January 01, 2003
<a href="http://aves.superturks.org/buy-xanax.html">buy xanax</a>
<a href="http://aves.superturks.org/generic-xanax.html">generic xanax</a>
<a href="http://aves.superturks.org/order-xanax.html">order
Anonymous
January 01, 2003
<a href="http://aves.superturks.org/buy-xanax.html">buy xanax</a>
<a href="http://aves.superturks.org/generic-xanax.html">generic xanax</a>
<a href="http://aves.superturks.org/order-xanax.html">order
Anonymous
January 01, 2003
<a href="http://aves.superturks.org/buy-xanax-on-line.html">buy xanax on line</a>
<a href="http://aves.superturks.org/buy-generic-xanax.html">buy generic xanax</a>
<a href="http://aves.superturks.org/buy-cheap-xanax.html">buy
Anonymous
January 01, 2003
<a href="http://aves.superturks.org/buy-xanax-on-line.html">buy xanax on line</a>
<a href="http://aves.superturks.org/buy-generic-xanax.html">buy generic xanax</a>
<a href="http://aves.superturks.org/buy-cheap-xanax.html">buy
Anonymous
January 01, 2003
<a href="http://aves.superturks.org/tramadol-hcl.html">tramadol hcl</a>
<a href="http://aves.superturks.org/cheap-tramadol.html">cheap tramadol</a>
<a href="http://aves.superturks.org/buy-tramadol.html">buy
Anonymous
January 01, 2003
<a href="http://aves.superturks.org/tramadol-hcl.html">tramadol hcl</a>
<a href="http://aves.superturks.org/cheap-tramadol.html">cheap tramadol</a>
<a href="http://aves.superturks.org/buy-tramadol.html">buy
Anonymous
January 01, 2003
<a href="http://aves.superturks.org/generic-viagra.html">generic viagra</a>
<a href="http://aves.superturks.org/buy-viagra.html">buy viagra</a>
<a href="http://aves.superturks.org/buy-viagra-online.html">buy
Anonymous
January 01, 2003
<a href="http://aves.superturks.org/viagra-alternative.html">viagra alternative</a>
<a href="http://aves.superturks.org/herbal-viagra.html">herbal viagra</a>
<a href="http://aves.superturks.org/order-viagra.html">order
Anonymous
January 01, 2003
The comment has been removed
Anonymous
January 01, 2003
duck!
Anonymous
January 01, 2003
The comment has been removed
Anonymous
January 01, 2003
> I want to know what else you think we can do about the malicious behavior we find on the Internet.

First: distribute Windows Update. That is, have clients check various download locations NOT ALL ON THE SAME DOMAIN and only install updates whose CRC's match on all locations.

Second: STOP DEVELOPING PROPRIETARY FEATURES.

This may seem extreme but here's my reasoning.

Remember img dynsrc= ? This was a way for malicious HTML-email authors to get around the <object> block in Microsoft Outlook. It has since been fixed.

But learn a lesson from this. Stick to standard features. It will improve interoperability. Not just with products of your competitors, but also with products of other Microsoft teams.
Anonymous
January 01, 2003
The comment has been removed
Anonymous
January 01, 2003
Yes, browser exploits are a problem and should be fixed. But the majority of problems with viruses and spyware are from users that are tricked into downloading evil files through P2P/web sites or opening evil attachments through their email client--predominantly Outlook/98/2000/2002/2003/Express.

It makes good Internet drama to pit IE against Firefox and compare their shortfalls, but to improve user protection we need to deal with the most common vectors, and it ain't browser exploits.
Anonymous
January 01, 2003
The critical issue that should push lawmakers is the fact that if I realize I have something I do not want, I should be able to remove it without having to re-install Windows. However surreptitious these EULA's for spyware are, I doubt they can go as far as:

If you realize our software is installed, the only way to remove it is by reformatting. Try anything else, and we will simply re-install our spyware.

Can't BHO's be added to Add/Remove Programs?
Anonymous
January 01, 2003
"but to improve user protection we need to deal with the most common vectors, and it ain't browser exploits."

This is true now at least. Pre-SP2 it probably wasn't.
Anonymous
January 01, 2003
The comment has been removed
Anonymous
January 01, 2003
I strongly agree Dean that this is an industry-wide problem; no business model makes software magically immune to error.

However, there's something I don't understand about your post -- what do you mean by malice without intention?

Surely malice is by definition intentional.
Anonymous
January 01, 2003
Eric,
I believe that Dean was discussing the people who disclose vulnerabilities.

Maybe a better choice of words was "harmful" instead of "malicious"? Using "harmful" removes the intent - things can be harmful without intent, while I don't believe it's possible to be malicious without intent.
Anonymous
January 01, 2003
Please please please make IE 7 compliant with CSS 2.1.
Anonymous
January 01, 2003
> However, there's something I don't understand >about your post -- what do you mean by malice >without intention?

> Surely malice is by definition intentional.

I think Dean ment such security researchers as securityfocus.com and others. They tracks bugs and makes exploits available download for public. Public exploits and explanation how to avoid security rules and violait them compromises lots of systems and doesn't not do any good.

In my opinion, if you are security researcher, you must first contact software vendor, make them aware of problem, and post only information how to avoid the problem on your site.

P.S. sorry for pure english.
Anonymous
January 01, 2003
> I want to know what else you think we can do about the malicious behavior we find on the Internet.

Sure you know what is software testing? When you put some user to use your software and see which buttons he will pust. And if it push some buttons which crash you software you could scream - "Hey you idiot, why you do that wrong push!" :) Still that whould be a bug in software and you should fix it.

Same here - "them" discover bugs in your software and you just fix it. :)

You write software to make some usefull things. You document all your software is do. You learn which thins your software must not do. You document this also for user to be aware of all features (+ and -) of product he buys. If you will not document some issue (intensionally or you just do not know of it becouse it is bug :) - it is your fault as a develper - you have creat a software which you have no thought what do - something like a Frankenstein ;)
If you do this - you should think is your dev tools is OK if you can't know what action your software will produce :) Why you code is buggy.... Just almost every code in industry is buggy.
Anonymous
January 01, 2003
The comment has been removed
Anonymous
January 01, 2003
MS' track record isn't very shiny either so basically Dean, you have nothing to say when your own house isn't in order.

http://secunia.com/product/11/

19 unpatched security issues. Not to mention lack of web standards support.
Anonymous
January 01, 2003
You need to read better, specifically go learn what "Reading comprehension" is...
Anonymous
January 01, 2003
@FireFox

Dean wasn't saying that IE was better than FF or vice versa. He was saying that just because FF is Open Source it doesn't mean it has no security vulnerabilities, as some FF advocates preach.

I use FF and love it, but I have heard so much hype about it that is just plain untrue.

@Dean,

From what I understand this exploit is only available on Windows systems. So I would question one part of your statement, where you say "It's not limited or unique to operating systems..." From what I can find out (I have not researched extensively) Window's may be the major culprit and FF only the channel.

I was wondering what you think.

Thanks
Anonymous
January 01, 2003
One of the benefits of a cross-platform technology such as XUL and JavaScript is that it runs... uh... cross platform :-)

That means the bugs are cross-platform, too. To the best of my knowledge, the PoC that leaked was for Windows, but the attack would work anywhere.

That's based on reading posts on slashdot, so I could be talking complete gibberish...
Anonymous
January 01, 2003
The comment has been removed
Anonymous
January 01, 2003
Re: Anonymous To Anonymous on Reading Comprehension. Look more closely and you'll see that the "As you are no doubt aware..." post is actually an excerpt from a blog entry linking to this one, embedded via trackback.

Unfortunately the display of Trackbacks on this blog does not make it clear that they are merely excerpts. Labeling them as Anonymous only muddies the issue.

It seems to me a better solution would be to display them as "Trackback from [link]Site Name[/link]" or perhaps a less implementation-specific note like "Excerpt from [link]Site Name[/link]"
Anonymous
January 01, 2003
> He was saying that just because FF is Open Source it doesn't mean it has no security vulnerabilities, as some FF advocates preach.

Which FF advocates would these be? I've never seen somebody claim something so stupid. Sounds like straw men to me.
Anonymous
January 01, 2003
The comment has been removed
Anonymous
January 01, 2003
Hole plugged.

http://www.mozilla.org/security/announce/mfsa2005-42.html
Anonymous
January 01, 2003
The comment has been removed
Anonymous
January 01, 2003
The comment has been removed
Anonymous
January 01, 2003
The comment has been removed
Anonymous
January 01, 2003
The comment has been removed
Anonymous
January 01, 2003
The comment has been removed
Anonymous
January 01, 2003
The comment has been removed
Anonymous
January 01, 2003
If only everyone would fix their security as fast as the Mozilla Foundation does the world would be a better place.
Anonymous
January 01, 2003
The comment has been removed
Anonymous
January 01, 2003
The difference, here, is that Mozilla Foundation are much more compromissed with the FF community then MS with IE community.
The two security vulnerabilities on FF (wich was really dangerous), was there for just 2 days. On third, Mozilla release the version 1.0.4, wich corrected the problems. Even before the release of the patch, Mozilla has taken some providences to avoid attacks (like changing the url of update.mozilla). MS has a lot of unpatched bugs, and that makes the whole difference.
Anonymous
January 01, 2003
The comment has been removed
Anonymous
January 01, 2003
@ jim - there is a difference between "open source" and Open Source, but yeah, your point is valid, I just wanted to see the code ;) lol, nah, but I do still think some of the arguments hold true, but maybe if Microsoft ever wanted to go the Open Source way, sure, that would be better, but "open source" still would be a big adventure for them, who knows what BG and Chums is thinking these days :)
Anonymous
January 01, 2003
The comment has been removed
Anonymous
January 01, 2003
The comment has been removed
Anonymous
January 01, 2003
The comment has been removed
Anonymous
April 08, 2006
good related article
Anonymous
June 09, 2006
chiki<a href="http://mysite.com.ua/xdem8264/pagesxdem8264/1_1.html">cheap tramadol</a>piki<a href="http://kilobax.dzite.com/vicodin_without_prescription">vicodin without prescription</a>i
<a href="http://kilobax.dzite.com/norco">norco</a>vs
Anonymous
June 09, 2006
chiki<a href="http://mysite.com.ua/xdem8264/pagesxdem8264/1_1.html">cheap tramadol</a>piki<a href="http://kilobax.dzite.com/vicodin_without_prescription">vicodin without prescription</a>i
<a href="http://kilobax.dzite.com/norco">norco</a>vs
Anonymous
July 18, 2008
Valium without prescription. Valium 10. Valium.
Anonymous
July 19, 2008
Ultracet. Ultracet medication.
Anonymous
May 29, 2009
PingBack from http://paidsurveyshub.info/story.php?title=ieblog-security-is-an-industry-problem
Anonymous
June 08, 2009
PingBack from http://cellulitecreamsite.info/story.php?id=2172
Anonymous
June 15, 2009
PingBack from http://einternetmarketingtools.info/story.php?id=4651

Partager via

Security is an Industry Problem

Comments

Ressources supplémentaires