Tuesday, May 9, 2017

Why there are security bugs

This example says everything you need to know:
Miscreants can turn the tables on Microsoft and use its own antivirus engine against Windows users – by abusing it to install malware on vulnerable machines. 
A particularly nasty security flaw exists in Redmond's anti-malware software, which is packaged and marketed in various forms: Windows Defender, Windows Intune Endpoint Protection, Microsoft Security Essentials, Microsoft System Center Endpoint Protection, Microsoft Forefront Security for SharePoint, Microsoft Endpoint Protection, and Microsoft Forefront Endpoint Protection. All are, at this moment, at risk. It is switched on by default in Windows 8, 8.1, 10, and Windows Server 2012. 
It is possible for hackers to craft files that are booby-trapped with malicious code, and this nasty payload is executed inadvertently and automatically by the scanner while inspecting the data. The injected code runs with administrative privileges, allowing it to gain full control of the system, install spyware, steal files, and so on.
I post this not to slam Microsoft, who has done a pretty good job making their security better.  It's to point out that even people who write security software mess up.  Consider:

  1. The Microsoft team certainly understands the need for security.  After all, they're creating a security product.
  2. The Microsoft team certainly knows how to code securely.  After all, they're creating a security product.
  3. Microsoft has a very strong vested interest in making sure that this sort of thing doesn't happen.
And it still happened.  That tells you everything you need to know about whether we will ever be free from security bugs.

And so, what's the defense?  Well, a quick response is what you want.  While there's no patch for this, expect one PDQ.  Microsoft does pretty well in that.

My take is that this is a major gap in "Internet Of Things" security - not only do they not understand the need for security or how to do it, not only do most IoT vendors not seem to care about security and market perceptions, but almost none have a way to update software to patch security bugs.  

1 comment:

Jeffrey Smith said...

Microsoft has apparently released the patch
http://www.pcworld.com/article/3195434/security/microsoft-fixes-remote-hacking-flaw-in-windows-malware-protection-engine.html