Slashdot Mirror
Is Finding Security Holes a Good Idea?
ekr writes "A lot of effort goes into finding vulnerabilities in
software, but there's no real evidence that it actually improves security. I've been trying to study this problem and the results (pdf) aren't very encouraging. It doesn't look like we're making much of a dent in the overall number of vulnerabilities in the software we use. The paper was presented at the Workshop on Economics and Information Security 2004 and the slides can be found here (pdf)."
Is finding security holes a good idea?
Writing Security Considerations Sections
Hmmm.
...that hunting down thugs and thieves and terrorists is not necessarily helping the nation's security, so let's not do it. Asinine suggestion.
You can be certain the script kiddies are going to find and exploit them.
By the very definition of the term, script kiddies do not find holes or exploit them, they simply run the exploit scripts.
He describes that if automated installation of patches were widely deployed then the benefits to discovery would increase.
Assuming the patches don't break something else by mistake.
The last time I did an update on my laptop (via MS update) and rebooted, I landed in a BSOD. I had to disable my wireless card, get new drivers, and re-install it before I could get the machine to boot normally again.
If the update had happened automatically, and I was not in a position to get the new device drivers like on the road, or at a customer's site), I would have been SOL.
While automatic updates may sometimes make sense for security, they aren't the best solution.
---
"I can't complain, but sometimes still do..." Joe Walsh
if the patch breaks an application and the machine goes unpatched there is a loss in security because of potential intrusion. If the patch is applied there is a potential loss of productivity.
Not all patches are security patches. Many patches fix problems, such as the spell check function doesn't work correctly. Or some other function doesn't work correctly. These won't compromise security, but they may interfere with other programs.
In theory, you are right. In practice, I've been using apt-get for several years and never got in the situation you mention when patching with "stable" releases. Can't say anything about Microsoft patches, though. Never touch that stuff.
Firefox and any browser other then IE can have holes but IE and Explorer are directly tied together which opens a new new class of expliots and holes that the other browsers with less integration just do not have.
Some History:
MS realized that the transparent integration of IE and Explorer that started around IE5.x? is not without security
issues. The currently hidden [1] "My Computer" zone is the security wrapper between the two. There are multitudes of issues that can exploit holes and create cross zone issues [2]. A majority of the patches for security patches for IE in the last 2 years has been fixing these issues as they appear.
Looking forward, the trend with MS operating systems is going to be a more restrictive "My Computer" zone. Third parties have made tools for existing systems [2] to ease the introduction of these restrictions and MS themselves have responded with XP SP2 [3] that is in beta now. These are major changes but it is the industry trend. The claims made by Pixv Solutions are pretty impressive as noted in the white paper [3b] (+1 bonus to the marketting department) for avoiding past exploits and worms by using their version of a lockdown which I believe is more then just reconfiguring My Computer zone. I am in no way shape or form giving a suggestion to use their software or services, just noting that companies DO see a problem with the MS security model and are doing something about it. Any impementation of the concepts they use would do equally as well if researched enough.
[1] How to Enable the My Computer Security Zone in Internet Options
[2]Google Search for IE and Zone exploits
[2a]Security list posting by Pixv Solutions describing the concept of security zones
[3] Pivx Solutions "Quik-Fix"
[3a] White Paper describing "Quik-Fix"
[4] Changes to Functionality in Microsoft Windows XP Service Pack 2
Crackers will dissect your patches to create exploits, but you'll at least have protection available when the exploits go wild. If they don't find vulnerabilities from the patches, they'll just spend more time trying to find them manually, and the more you leave unpatched, the better the odds they have of finding one. Your customers who care about security the most will install the patches on time, and get pissed if a cracker exploits something before you've patched it.
But it's even better to find them before the product ships, and design early on to avoid the common ones. I believe the author of qmail is still offering thousands of dollars to the first person who finds even a single vulnerability.
Finding problems which can be disclosed at the same time as a patch is very good.
All the major Linux distributors will release updates in a timely manner, and enable people to install them with minimum effort - much like Microsoft does. The only difference with Microsoft's patches is they can, rarely, break things. I've never seen this happen with a Linux update.
Personally I've never heard anybody say anything bad about the pro-active way which the OpenBSD team audit their codebase and this is one of the reasons why I started the Debian Security Audit.
Having a dedicated team of people auditing code, combined with the ability to release updates in a timely manner is definately a good thing.
(The results of my work show that even with only a small amount of effort security can be increased)
Did I mention that I'm available for hiring? ;)
The whole IT community went through this debate years ago.
Report it to the developer, not the whole world.
The standard nowadays is to notify the vendor and give them time to create a fix, and then report it to the world at large.
The problem with notifying only the vendor was (years ago) found to be that vendors would not fix an exploit if they were confident that few people knew about it. Vulnerabilities known to the vendors went years without being fixed because they knew that few people were capable of figuring out that the vulnerability existed.
The current system is basically a way to shame the vendors into acting proactively to fix a vulnerability, before an exploit is found in the wild. The hazards of it were debated long and hard by the IT community, but in the end it was decided that they had to force vendors to act.
-- I have monkeys in my pants.
Really. I didn't make that up, check the link! Who is this guy, and why is he giving me software security advice?!
Member of the IAB. Co-chair of the TLS working group.
This paper from 1979 says essentially the same thing - endlessly finding and fixing security holes will not improve the underlying security.
s /a ureview/1979/jan-feb/schell.html
Schell, R.R. Computer security: the Achilles' heel of the electronic Air Force? in Air University Review. January-February 1979, Vol. 30. p. 16-33.
http://www.airpower.maxwell.af.mil/airchronicle
Isn't this the point of tools like BSD and Gentoo's systems (ports and portage, respectively)? They're designed to solve dependencies and automatically merge software into an operating system. Portage can even satisfy conflicting dependencies by maintaining multiple versions of one package in the system at once.
Sorry, my karma just ran over your dogma.
This is illegal in the US. Such a contract would not be valid were it challenged in court.