Some of us are currently enjoying some excellent presentations at a CARO workshop in Budapest on exploits and vulnerabilities. Hopefully, some of them will eventually be made public, so that we’ll be able to include pointers to specific resources. While there’s been a great deal of technical detail made available that has passed me by
Some of us are currently enjoying some excellent presentations at a CARO workshop in Budapest on exploits and vulnerabilities. Hopefully, some of them will eventually be made public, so that we’ll be able to include pointers to specific resources.
While there’s been a great deal of technical detail made available that has passed me by previously on a few issues (well worth the plane fare!), a couple of things have been particularly noticeable. One is that where, say, ten years ago there would have been a great deal of muttering about Microsoft, security through obscurity and other unsafe practices (something of a tradition in old-time AV circles, and not always undeserved), I’m not hearing that here.
Some years ago I sat in on a teleconference where Microsoft enumerated ways in which they intended to prioritise the security of their customers. Hiccoughs and imperfections notwithstanding, it seems to me they’ve made a fair stab at delivering on all that. Not only have they improved some of their practices beyond recognition, but they’re taking part in and in some cases initiating information sharing sessions, based on very sound research. It’s a pity that there’s still so much “Microsoft Bad, [XYZ Product] Good” reflexive thinking and prejudice around in some forums.
Unsurprising, one session centred on recent Adobe vulnerabilities. Of course, there’ve been quite a few of these recently, mostly related to Acrobat and Flash, but I don’t think that it’s altogether appropriate to judge a product’s security by the number of CVE entries that relate to it. I’m a great believer in defensive programming, and it’s been encouraging to see the computing industry in general moving so far in that direction in recent years, but it would be over-optimistic to believe that all vulnerabilities in large, complex applications can be eliminated by certifying programmers. That strikes me as being analogous to expecting the ever-increasing number of CISSPs to eliminate security problems. There’s a great deal of research out there being expended on breaking application and OS security, and not all of it is benevolent.
Director of Malware Intelligence