Saturday, June 27, 2009

Internet Security is hard, part CXXIV

No wonder things are a mess, the security industry is part of the problem. I just spent 20 minutes trying to figure out if the laptop I use at Security Startup company is vulnerable to a new Adobe security bug. I think that the answer is "no", but this isn't the sort of thing that you should have to figure out.

And I've been doing this for nigh on twenty years, for Pete's sake.

It started innocently enough, with a vulnerability announcement for Shockwave Player - one of the many that come around each week. This one caught my eye, though:
Shockwave Player is installed on 450 million desktops, according to Adobe.
Well, now. This is worth a look.

Things started going sideways right away. "Shockwave" is a name also used in combination with "Flash", which is what drives all the Youtube videos. A security bug in that would be really, really bad, since the Bad Guys could embed malware in a funny video and infect a million people in a day.

So, is Shockwave Player related to Shockwave Flash? After 20 minutes, I think that the answer is no. The reason is that Control Panel ("Add/Remove Programs" in XP, called "Programs and Features" in Vista) gives me a list of installed software. I do have Flash Player; I don't have Shockwave Player.

Criminey, the security industry should not be issuing vulnerability announcements that contain brand confusion. They should state clearly what needs to get fixed, and if the vendor has bade things difficult because of similarly-named products, the vendor should be made to explain the situation.

For for my readers, here's what (I think) the situation is:

1. Your Adobe PDF Reader is fine.

2. Your Adobe Shockwave Flash Player is fine. You may have two: a browser plugin, and an ActiveX Control; both are fine.

3. Your Adobe Shockwave Player is a security mess, and you'll want to get a new one from Adobe. You, like me, may not have it. If you want to make sure, you'll have to check in Control Panel.

So we'll deduct 20 points from Adobe for brand confusion and 40 points from the security researchers for not eliminating the confusion (Bad researcher! No biscuit!).

Look, security is hard enough without adding unnecessary confusion.

No comments: