Is Finding Security Holes a Good Idea? 433
ekr writes "A lot of effort goes into finding vulnerabilities in
software, but there's no real evidence that it actually improves security. I've been trying to study this problem and the results (pdf) aren't very encouraging. It doesn't look like we're making much of a dent in the overall number of vulnerabilities in the software we use. The paper was presented at the Workshop on Economics and Information Security 2004 and the slides can be found here (pdf)."
Google is teh friend (Score:5, Informative)
Is finding security holes a good idea? [64.233.167.104]
Writing Security Considerations Sections [64.233.167.104]
This is like saying... (Score:3, Informative)
Re:Don't buy it (Score:3, Informative)
By the very definition of the term, script kiddies do not find holes or exploit them, they simply run the exploit scripts.
Re:Fixing vulnerabilities is GOOD! (Score:5, Informative)
Assuming the patches don't break something else by mistake.
The last time I did an update on my laptop (via MS update) and rebooted, I landed in a BSOD. I had to disable my wireless card, get new drivers, and re-install it before I could get the machine to boot normally again.
If the update had happened automatically, and I was not in a position to get the new device drivers like on the road, or at a customer's site), I would have been SOL.
While automatic updates may sometimes make sense for security, they aren't the best solution.
Not necessarily (Score:5, Informative)
Not all patches are security patches. Many patches fix problems, such as the spell check function doesn't work correctly. Or some other function doesn't work correctly. These won't compromise security, but they may interfere with other programs.
Re:Uhuh. Is this good if Microsoft does this? (Score:5, Informative)
Re:It helps (Score:1, Informative)
Some History:
MS realized that the transparent integration of IE and Explorer that started around IE5.x? is not without security
issues. The currently hidden [1] "My Computer" zone is the security wrapper between the two. There are multitudes of issues that can exploit holes and create cross zone issues [2]. A majority of the patches for security patches for IE in the last 2 years has been fixing these issues as they appear.
Looking forward, the trend with MS operating systems is going to be a more restrictive "My Computer" zone. Third parties have made tools for existing systems [2] to ease the introduction of these restrictions and MS themselves have responded with XP SP2 [3] that is in beta now. These are major changes but it is the industry trend. The claims made by Pixv Solutions are pretty impressive as noted in the white paper [3b] (+1 bonus to the marketting department) for avoiding past exploits and worms by using their version of a lockdown which I believe is more then just reconfiguring My Computer zone. I am in no way shape or form giving a suggestion to use their software or services, just noting that companies DO see a problem with the MS security model and are doing something about it. Any impementation of the concepts they use would do equally as well if researched enough.
[1] How to Enable the My Computer Security Zone in Internet Options [microsoft.com]
[2]Google Search for IE and Zone exploits [google.com]
[2a]Security list posting by Pixv Solutions describing the concept of security zones [ntbugtraq.com]
[3] Pivx Solutions "Quik-Fix" [pivx.com]
[3a] White Paper describing "Quik-Fix" [pivx.com]
[4] Changes to Functionality in Microsoft Windows XP Service Pack 2 [microsoft.com]
good idea (Score:4, Informative)
But it's even better to find them before the product ships, and design early on to avoid the common ones. I believe the author of qmail is still offering thousands of dollars to the first person who finds even a single vulnerability.
Good if combined with sensible disclosure (Score:3, Informative)
Finding problems which can be disclosed at the same time as a patch is very good.
All the major Linux distributors will release updates in a timely manner, and enable people to install them with minimum effort - much like Microsoft does. The only difference with Microsoft's patches is they can, rarely, break things. I've never seen this happen with a Linux update.
Personally I've never heard anybody say anything bad about the pro-active way which the OpenBSD team audit their codebase and this is one of the reasons why I started the Debian Security Audit [debian.org].
Having a dedicated team of people auditing code, combined with the ability to release updates in a timely manner is definately a good thing.
(The results of my work [debian.org] show that even with only a small amount of effort security can be increased)
Did I mention that I'm available for hiring? [steve.org.uk] ;)
Re:What about people... (Score:2, Informative)
Report it to the developer, not the whole world.
The standard nowadays is to notify the vendor and give them time to create a fix, and then report it to the world at large.
The problem with notifying only the vendor was (years ago) found to be that vendors would not fix an exploit if they were confident that few people knew about it. Vulnerabilities known to the vendors went years without being fixed because they knew that few people were capable of figuring out that the vulnerability existed.
The current system is basically a way to shame the vendors into acting proactively to fix a vulnerability, before an exploit is found in the wild. The hazards of it were debated long and hard by the IT community, but in the end it was decided that they had to force vendors to act.
Re:Security guy? (Score:4, Informative)
Member of the IAB. Co-chair of the TLS working group.
An earlier paper on the same subject (Score:2, Informative)
Schell, R.R. Computer security: the Achilles' heel of the electronic Air Force? in Air University Review. January-February 1979, Vol. 30. p. 16-33.
http://www.airpower.maxwell.af.mil/airchronicle
Re:Uhuh. Is this good if Microsoft does this? (Score:2, Informative)
Re:Uhuh. Is this good if Microsoft does this? (Score:2, Informative)