[Full-Disclosure] (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs
From: Drew Copley (dcopley_at_eEye.com)
Date: 06/30/04
- Previous message: TIERNAN RAY, BLOOMBERG/ NEWSROOM:: "[Full-Disclosure] Web sites compromised by IIS attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <ntbugtraq@listserv.ntbugtraq.com>, <bugtraq@securityfocus.com>, <full-disclosure@lists.netsys.com> Date: Wed, 30 Jun 2004 13:55:17 -0700
There has been a great deal of talk about people
switching to Mozilla because of this recent Internet
Explorer issue.
This is a serious misunderstanding about security
that comes about because of people's ignorance and
because they "believe the hype" but do not look at
the details.
An example:
http://slate.msn.com/id/2103152/
***
In less than a day, Internet administrators sterilized
the infection by shutting down the Russian server that
hosted the spyware. But not before a barrage of scary
reports had circled the world. "Users are being told
to avoid using Internet Explorer until Microsoft patches
a serious security hole," the BBC warned.
<..>
Scob didn't get me, but it was enough to make me ditch
Explorer in favor of the much less vulnerable Firefox
browser.
***
The issue has been found not to utilize the zero day spyware
worm we have seen of late, but utilizes a known and patched
IE bug. Previous attacks used this same vulnerability before
it was patched, this is true. That attack and the latest spyware
zero day attack were both unreported. The latest attack was
way over reported and there was a great deal of wrong information
in a lot of these news stories.
Disclaimer: * I like Mozilla. I use it nearly daily for Usenet. I
use it as a secondary browser. I used it as a primary mail client
for years. I have worked at an open source company and have been
involved in several major open source security projects over
several years. *
[Primary Caveat to what I am about to say: Microsoft has an atrocious
record of fixing bugs. They routinely take six months to fix security
issues given to them. Some issues they simply leave open with
absolutely no explanation, such as the adodb stream issue which
has been used in all of the latest IE attacks. There is absolutely
no excuse for this kind of behavior, and people should consider
leaving Internet Explorer for this kind of reason... not because
because bugs were found.]
This said, people should not change browsers "because of the Scob",
nor should they assume Mozilla is more secure. Change because of
the features or to support Open Source. But, don't change any
software because someone found a bug in it... unless that bug
was horribly stupid to find.
Very often I see people saying "Because of this recent security
hole, I am changing to Mac, they are safer". The same argument
remains true.
Mozilla is safer in some regards. Its' lack of activex is not
really the reason, though. For one thing, it has "plug ins". This
is how Shockwave runs on it. One of the Shockwave bugs I found
also worked in Mozilla. Maybe others did -- I did not even bother
to test it.
Here are some facts:
-> Bug finders want attention. Bug finders want to find bugs that
will affect the systems they use and the systems everyone else uses.
-> Internet Explorer, for several years, has had 94% of the browsing
population. That is everyone. It may not be the most visible majority,
but it is definitely the majority. If you have ever managed a large
site, you - like me - have likely seen the very same stats. This is
a huge majority of the Internet population.
-> The very same people are finding these big bugs. It is not like
there are a whole ton of unexperienced people finding these bugs. These
are the best. They are experts at finding them. They may not always
be cognizant of this themselves, the act of finding them may not
seem difficult to them, but it is -- and this is clearly shown by
the fact that the same people keep finding these bugs.
So, what I am saying is: it could be Internet Explorer or it could
be Mozilla. Whichever is more popular, ultimately. If these bugfinders
spend their time trying to break it, it will be broken.
Professional QA and open source QA can not find security bugs
like security researchers can. If you want to break an application,
you do not hire QA to do it. You hire hackers to do it, people
with proven experience.
-> It is true. A lot of top IE bugfinders have it in with Microsoft.
Liu Die Yu was ripped off by them in China. One top bugfinder had
a very bad experience with them as a new computer user. Guninski was
viciously attacked by them for a long period of time -- I watched
as he became slowly more and more anti-Microsoft until it became
an obsession for him.
So, Microsoft's PR campaign has made them some pretty hardened
enemies. This is true. Companies like Netscape tend to not do this
kind of thing because they are used to getting free help and
appreciating it.
-> Using a Mac used to be far more secure then it is now, because
now it is based on the BSD kernel and is far more accessible. Using
a Commodore 64 or an Apple II or a TI-99/4A - if these things were
possible - would be the most secure of all. This is "security by
obscurity".
-> Applications which have less foothold, less code, will have less
bugs. Applications which have more code and more "landscape" will
have more bugs. It does not matter who is developing it. There may
be some freaks out there, mutants, who can write flawless, absolutely
safe code. But, most of us are human beings.
-> Anyone that has worked in the software development field
knows and understands that applications have bugs. This is a fact
of life in these fields. End users are extremely buffeted from this
fact of life because everything that goes into selling the products
tries to keep that from them. Yet, what end user could forget just
how often their application crashes or their system?
It happens all the time. And, if you are using a certain application
or OS all the time, you may think it only happens to you and only
with this software.
This is not true.
(It may be true that some users on some OS's do experience less bugs,
but they well know they do not do the kinds of things which require
software with more "foothold" or code for which bugs might happen -- you
shouldn't expect to see a lot of bugs in your experience if all you
use is notepad.)
Conclusion: Mozilla may be better. I think there is some strong
chance of that. But only marginally. It has had bugs. It has a lot
of features, which means a lot of potential for security issues. They
have kept their browser more conservative then Microsoft has kept
Internet Explorer. Traditionally, Mozilla developers have been
far more "RFC compliant" - as the saying goes then Microsoft.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: TIERNAN RAY, BLOOMBERG/ NEWSROOM:: "[Full-Disclosure] Web sites compromised by IIS attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
