Sunday, July 19, 2009

Security Point-Counterpoint

Actually not a counter point, but Ian Argent left a comment to my post Bad Browser Juju that is worth reproducing here in full:
You're a smaller target - as long as the market is smaller. As more people switch (which is happening and shows no sign of stopping), the relative payoff for targeting non-IE/Windows installs gets bigger. And there's big money in botnets and other explois now, money enough to make pwning machines a career. I work it tech support, and one of the things I have had to deal over the last year was a flood of DNS changer trojans on the Mac. The worst part of it was that the attack pattern on the mac is MUCH less sophisticated and stealthy on the Mac (on Windows the trojan burrows in and attempts to hide that the DNS servers have been changed, whereas on the Mac it's blatantly obvious). Nonetheless, I almost NEVER see this trojan affecting our windows customers, whereas it was a significant proportion of our mac tickets. This isn't an apples-to-apples comparison as the attack vector is pure social engineering (install our codec to see the bewbs) rather than a technical exploit. But I think it shows the kind of cargo-cult security mindset that non-technical users can have. Call it the seat-belt effect, if you will. Or security via obscurity, which only works until it's worth someone's while to break that obscurity.

Also, the July 6 DirectShow exploit appears to not affect IE 8 per Symantec via PCMag. That would seem to show that MS is FINALLY beginning to start taking security seriously.

Finally, don't think I'm trying to suggest Win/IE is more secure than the alternatives. It's usually less secure, mostly because users hate security. The only secure computer is one that is walled up in a closet with no console or power, and even then you can always take down the wall with demo tools:) But someone who switched from IE8 to Firefox 3.5 is more vulnerable to the exploit in the original post than I am running IE8 on Vista. (Per Symantec via PCMag - if that's changed I haven't seen anything on it). IE8 isn't bulletproof either - see the recent pwn2own contest (in which all major desktop browsers were exploited) and it would appear that it took MS 3 months to close the exploited hole. But it's not exactly swiss-cheese either.
These are all very good points, and are worth highlighting:

1. Nothing is invulnerable, as the Mac trojans demonstrate. I'd argue (in fact, I have) that the Unix architecture is inherently harder to attack than Windows, but this just shifts the focus of the Bad Guy. As long as users can be fooled into installing your malware, you're vulnerable.

2. If something is more popular, it will be attacked more (market share matters). The worse situation is something popular that has weak security (Internet Explorer 6 on unpatched Windows XP with the user running with Administrator privilege), but marketshare = target share. Sitemeter tells me that 15% of you use Safari; combine that (interesting market share levels) with Apple's very cavalier attitude to fixing security bugs quite frankly makes your risk higher than if they had the same attitude that, say, the Mozilla Firefox team has.

3. Microsoft is indeed taking security more seriously. I know for a fact that they have been for years (from conversations I had with some of them back in 2001). This is now ingrained at Microsoft in a way that it simply isn't at Apple. Their architecture hurts them, and I really don't know why Internet Explorer can't update itself like Firefox does, but security is no joke inside the halls at Redmond.

4. In this day and age, it's a big, big security miss for the browser not to auto-update itself with security fixes (this is the one place where I somewhat disagree with Ian). IE 8 may in fact be more than IE 7 (and for dang sure is better than IE 6, which was a security nightmare), but it stays vulnerable much longer than Firefox or Opera. This is the biggest step forward that Microsoft could make for user security. Case in point: Sitemeter tells me that more visitors here run IE6 than IE8, and three times as many people use IE7 as IE6 and IE8 combined. Your mileage may vary, void where prohibited, do not remove tag under penalty of law.

Ian, thanks for leaving the comment, which is well worth everyone's time. As you say, there are no silver bullets, and being a smart security user is the most important thing that anyone can do. Maybe I should do a post on security awareness a la Jeff Cooper's color codes. The old saying from the shooting range applies especially well to Internet security: the most important safety device is the one you find between your ears.


Ian Argent said...

Thanks for front-paging that. IE6 delenda est, certainly.

Also, I'm pretty sure the reason IE doesn't auto-update itself is Windows Update. Which MS does everything but press the button for you to make sure is turned on. The time-line to patch may suck for reasons I below. I follow Raymond Chen at The Old New Thing (a pretty useful and amusing blog), and far too many of the windows idiocy can be traced to a mistake was made in the times of yore, and now (hardware that roughly 200% of users have installed/an organization that licenses 1 TRILLION copies of Windows) depends on that mistake and consequently won't upgrade if that mistake is fixed. (exaggeration for comedic effect, of course). Which doesn't stop his commentors from asking "why can't you fix it anyway?"

One of the reasons it takes so bloody long for Microsoft to patch ANYTHING is the same reason I still have to use IE6 at work (and consequently do not do ANY personal browsing on my work machine) - LOBsters. Line-of-business apps that depend on a particular quirk of a particular implementation that could be as much as 12 years old (or more if the app started in DOS). We have some internal web tools that apparently break if used on IE7 or later. The advice for people who DO have machine with IE7 is to have them use Firefox (corporate-approved browser, interestingly enough); though not all the apps work in Firefox all that well either. So I've got admin rights (needed for some of my job functions) on a machine with IE6; and NO WAY to change that. I installed Firefox and try and use that when I go outside the intranet. Nonetheless, I see people (most of whom don't have admin rights, thankfully) do personal browsing on their work machines. Light personal browsing (excluding webmail and social networking sites - both are verboten by policy and generally by firewall unless you can put together a business case) is permitted by policy; and I wonder how much work that gives corporate network security...

Anyway, the short form of this is that Microsoft has to make a profit or face the shareholders. Firefox doesn't have to make a profit (as far as I can tell - Mozilla Foundation is not-for-profit and Firefox is free. Though Mozilla Company confuses matters, based on a quick wikiwander it would appear that Mozilla doesn't need to make a profit). Mozilla is also a much smaller organization. This allows the Mozilla Foundation a bit more freedom to experiment, to be more agile.

Whether or not Microsoft is too large, has a business model that is obsolete, etc, isn't my place to say. But the business explains much of what causes Microsoft to be less responsive than their competition.

Ian Argent said... - Good for Youtube and Digg.

I wonder if a future version of IE could have a "sandboxed" IE6 environment in it (a la Win7's touted "WinXP" mode) for the LOBsters?