Some of us are currently enjoying some excellent presentations at a CARO workshop in Budapest on exploits and vulnerabilities. Hopefully, some of them will eventually be made public, so that we'll be able to include pointers to specific resources.
While there's been a great deal of technical detail made available that has passed me by previously on a few issues (well worth the plane fare!), a couple of things have been particularly noticeable. One is that where, say, ten years ago there would have been a great deal of muttering about Microsoft, security through obscurity and other unsafe practices (something of a tradition in old-time AV circles, and not always undeserved), I'm not hearing that here.
Some years ago I sat in on a teleconference where Microsoft enumerated ways in which they intended to prioritise the security of their customers. Hiccoughs and imperfections notwithstanding, it seems to me they've made a fair stab at delivering on all that. Not only have they improved some of their practices beyond recognition, but they're taking part in and in some cases initiating information sharing sessions, based on very sound research. It's a pity that there's still so much "Microsoft Bad, [XYZ Product] Good" reflexive thinking and prejudice around in some forums.
Unsurprising, one session centred on recent Adobe vulnerabilities. Of course, there've been quite a few of these recently, mostly related to Acrobat and Flash, but I don't think that it's altogether appropriate to judge a product's security by the number of CVE entries that relate to it. I'm a great believer in defensive programming, and it's been encouraging to see the computing industry in general moving so far in that direction in recent years, but it would be over-optimistic to believe that all vulnerabilities in large, complex applications can be eliminated by certifying programmers. That strikes me as being analogous to expecting the ever-increasing number of CISSPs to eliminate security problems. There's a great deal of research out there being expended on breaking application and OS security, and not all of it is benevolent.
But I do think Adobe has a problem. I'm sure it takes patching practice seriously, and its leaning towards what I sometimes call "reluctant disclosure" of vulnerabilities is neither unique nor indefensible. But there's a curious disconnect between the company's advice on dealing with the latest issue, recommending disabling of JavaScript (told you so!), and its actual development and implementation practice, which actively discourages the average user from disabling, by aggressively defaulting to settings that have repeatedly been exploited. There has to be a better way, starting with trying to think more like an "average user" in the face of a significant security issue. If Adobe PSIRT tells them to take a precaution and the program itself continually nags them to do the opposite, how many users are likely to go along the path of least resistance? An awful lot, I'd guess.
David Harley
Director of Malware Intelligence
