[121553] in North American Network Operators' Group
Re: Anyone see a game changer here?
daemon@ATHENA.MIT.EDU (Bruce Williams)
Fri Jan 22 00:27:09 2010
In-Reply-To: <6eb799ab1001212119m120fc13dt27be7da4c459c4cd@mail.gmail.com>
Date: Thu, 21 Jan 2010 21:26:45 -0800
From: Bruce Williams <williams.bruce@gmail.com>
To: James Hess <mysidia@gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
The problem with IE is the same problem as Windows, the basic design
is fundementally insecure and "timely updates" can't fix that.
Bruce
On Thu, Jan 21, 2010 at 9:19 PM, James Hess <mysidia@gmail.com> wrote:
> On Thu, Jan 21, 2010 at 9:52 PM, Gadi Evron <ge@linuxbox.org> wrote:
>> On 1/15/10 5:52 PM, Steven Bellovin wrote:
> ..> 2. Is Microsoft, while usually timely and responsible, completely
>> irresponsible in wanting to patch this only in February? While they patc=
hed
>> it sooner (which couldn't have been easy), their over-all policy is very
>> disturbing and in my opinion calls for IE to not be used anymore.
>
> It is not as if there are a wealth of alternatives. =A0 There are still
> many cases, =A0where IE =A0or MSHTML components are a pre-requisite, =A0t=
o
> access a certain product =A0that is =A0important to the user. =A0 =A0A
> canonical example, =A0would be:
>
> Intranet apps, web-managed =A0routers, switches, firewalls, or other
> network infrastructure that can only be administered using MSIE
> version 6 (ActiveX control, or old HTML relying on IE features) --
> probably devices with old software.
> Mail readers such as Outlook with =A0MSHTML components embedded.
>
> ..> 3. Why are people treating targeted attacks as a new threat model? Th=
eir
>> threat models are just old. This we discussed here.
>
> It's an old model that could have fallen into some measure of disuse.
> =A0 Targeted =A0attacks =A0are possibly riskier to launch than randomly
> dispersed =A0attacks, =A0and require an insider or more determined
> attacker =A0who can effect social engineering in the right place; =A0 the
> result is they are rarer.
>
> Intuitively, =A0hardly any user thinks =A0they can personally be subject
> to a complex targetted attack penetrating multiple security layers and
> requiring obscure enterprise-specific info.... until it happens...
> because people assume complexity of the required attack, =A0and
> 'security software' such as Antivirus lead to a high level of safety,
> without ever having a logical or statistically rigorous basis for
> arriving at the assumption.
>
> Perhaps there were so many non-targetted attacks, =A0that the idea of
> "targetted attack" =A0was =A0drowned out of the security dialogue and
> forgotten by some.. =A0 or there was a mistaken belief =A0that =A0the
> targetted attacks automatically get stopped by the firewall =A0 and
> mod_security...
>
> --
> I believe 3 to 4 =A0weeks =A0is par for the course, =A0with most =A0major
> software manufacturers, even for a patch to a critical security
> issue...
>
>
> It is really impossible to make a reasonable assessment on
> Microsofts' response based on just one event =A0(where in fact, they
> pulled through).
>
> I don't perceive that Microsoft have any solid history of being more time=
ly =A0or
> =A0more responsible, than other vendors. =A0In most cases, =A0they have
> released patches soon after a serious advisory was made public, =A0but
> the date the vulnerability was first discovered and reported to
> Microsoft, =A0is not disclosed in the advisory or patch too often, that
> I saw. =A0 As I understand: a vulnerability =A0might =A0have first been
> reported to MS =A0months or years before they released a patch =A0or even
> acknowledged there was an issue, in some cases. =A0 =A0Sometimes they eve=
n
> advise, but say there will be no patch =A0(e.g. =A0Windows XP and
> MS09-048 ).
>
>
> A =A0"true" =A0zero day =A0like the recent one, =A0where the exploit is i=
n the
> wild and in use by blackhats =A0prior to =A0the vendor even being aware o=
f
> =A0a possible vulnerability, =A0is a different animal, =A0than routine
> security patches (even ones listed as critical or high-priority).
>
> Because (no doubt) =A0it requires some strong measure of analysis first
> to determine what code is being exploited, =A0in addition to the normal
> steps involved in fixing a hole.... =A0 e.g. =A0determining =A0what the
> actual possible bug(s) are, and how to fix, without =A0probably
> introducing new ones, =A0 or =A0missing some conditions.
>
>
> --
> -J
>
>
--=20
=93Discovering...discovering...we will never cease discovering...
and the end of all our discovering will be
to return to the place where we began
and to know it for the first time.=94
-T.S. Eliot
