Vulnerability disclosure is such a painful issue.  However, some people are trying to make it as painful as possible.  They slap and kick people with the release of 0-day vulnerabilities, and tell them it’s for their own good.  In their fantasies, sometime in the future, we’ll be thanking them.  In reality, they make me feel sympathy for the vendors. 

They cite disillusionment with the “responsible disclosure” process.  They believe that this process forces them somehow to wait indefinitely on the pleasure of the vendor.  Whereas it is true that many vendors won’t and don’t fix known issues unless they are known publicly or are threatened with a public disclosure, it bemuses me that these people are unwilling to give the vendor a chance and wait a few weeks.  They use the excuse of a few bad vendors, or a few occurrences of delays in fixes, even “user smugness”, to systematically treat vendors and their clients badly.  This shows recklessness, impatience, intransigence, bad judgment and lack of discernment. 

I agree that reporting vulnerabilities correctly is a thankless task.  Besides my previous adventure with a web application, when reporting a few vulnerabilities to CERT/CC, I received no replies ever, not even an automated receipt.  It was like sending messages into a black hole.  Some vendors can become defensive and unpleasant instead.  However, that doesn’t provide a justification for not being gallant, and first giving an opportunity for the opposite side to behave badly.  If you don’t do at least that, then you are part of the problem.  As in many real life problems, the first one to use his fists is the loser.

What these security vigilantes are really doing is using as hostages the vendor’s clients, just to make an ideological point.  That is, they use the threat of security exploits to coerce or intimidate vendors and society for the sake of their objectives.  They believe that the ends justify the means.  Blackmail is done for personal gain, so what they are doing doesn’t fit the blackmail category, and it’s more than simple bullying.  Whereas the word “terrorism” has been overused and brandished too often as a scarecrow, compare the above to the definition of terrorism.  I realize that using this word, even correctly, can raise a lot of objections.  If you accept that a weaker form of terrorism is the replacement of physical violence with other threats, then it would be correct to call these people “small-time terrorists” (0-day pun intended).  Whatever you want to call them, in my opinion they are no longer just vigilantes, and certainly not heroes.  The only thing that can be said for them is, at least they didn’t try to profit directly from the disclosures.

Finally, let me make clear that I want to be informed, and I want disclosures to happen.  However, I’m certain that uncivil 0-day disclosures aren’t part of the answer.  There is an interesting coverage of this and related issues at C/NET.

[tags]Microsoft Vista, DRM[/tags]

Peter Gutmann, a scientist at the University of Auckland, has recently written an essay about DRM (Digital Rights Management) in the new Windows Vista OS.  The essay is quite interesting, and is certainly thought-provoking.  His “Executive Executive Summary” is very quotable:

The Vista Content Protection specification could very well constitute the longest suicide note in history.

Well worth reading and thinking about—I suggest you take a look.

First off, a new build of PHPSecInfo is out: Version 0.1.2, build 20061218. Here’s what’s new:

• Code is now licensed under “New BSD” license. See LICENSE

• Added PhpSecInfo_Test_Core_Allow_Url_Include to test for allow_url_include in PHP5.2 and above

• fix bug in post_max_size check where upload_max_size value was being checked

• change curl file_support test to recommend upgrading to newest version of PHP rather than disabling support in cURL for ‘file://’ protocol

• removed =& calls that force pass by reference in PHP4, so as to not throw PHP5 STRICT notices. It means passing objects by value in PHP4, but this seems acceptable for our purposes (memory usage isn’t terribly high).

• Fixed bug in PhpSecInfo_Test_Session_Use_Trans_Sid where wrong ini key was requested (Thanks Mark Wallert)

• New, detailed README file with explanations and basic usage instructions - Now providing an md5 hash for releases

Here’s what I’m planning to do in the next few releases:

1. More detailed test results, including the current and recommended settings
2. A web-based “glossary” with more details on each test & how to fix problems
3. More tests!!! I especially need your help with this one!

I’m also going to look into options to reformat the test result structure, so it plays more nicely with templating systems. No promises on how this will go, but we’ll see.

I was interviewed for an article, Configuration: the forgotten side of security, about proactive security. I am a big believer in proactive security. However, I do not discount the need for reactive security. In the email interview I stated the following:

I define proactive security as a method of protecting information and resources through proper design and implementation to reduce the need for reactive security measures. In contrast, reactive security is a method of remediation and correction used when your proactive security measures fail. The two are interdependent.

I was specifically asked for best practices on setting up UNIX/Linux systems. My response was to provide some generic goals for configuring systems, which surprisingly made it into the article. I avoided listing specific tasks or steps because those change over time and vary based on the systems used. I have written a security configuration guide or two in my time, so I know how quickly they become out of date. Here are the goals again:

The five basic goals of system configuration:

1. Build for a specific purpose and only include the bare minimum needed to accomplish the task.
2. Protect the availability and integrity of data at rest.
3. Protect the confidentiality and integrity of data in motion.
4. Disable all unnecessary resources.
5. Limit and record access to necessary resources.

In all, the most exciting aspect is that I was quoted in an article alongside Prof. Saltzer. That’s good company to have.

[tags]vulnerabilities,microsoft word, email attachments[/tags]
So far this year, a number of vulnerabilities in Microsoft’s Word have been discovered.  Three critical (“zero day”) vulnerabilities have been discovered—and as yet, unpatched—this month.  (Vulnerability 1, Vulnerability 2, and Vulnerability 3.)  These are hardly the first vulnerabilities reported for Word.  There has actually been quite a history of problems associated with Word documents containing malformed (or maliciously formed) content.

For years now, I have had my mailer configured to reject Word documents when they are sent to me in email and also send back an explanatory “bounce” message.  In part, this is because I have not had Word installed on my system, nor do I normally use it.  As such, Word documents sent to me in email have largely been so much binary noise.  Yes, I could install some converters that do a halfway reasonable job of converting Word documents, or I could install something like OpenOffice to read Word files without installing Word itself, but that would continue to (tacitly) encourage dangerous behavior by my correspondents.

People who send me Word documents tend to get a bounce message that points out that Word:

1. Is not a document interchange format—it is not designed for document transport
2. Is not installed on everyone’s machine, nor available for everyone’s machine
3. Not all versions of Word are compatible with each other
4. Results in huge, bloated, files for tiny content (such as memos)
5. And of course, Word is commonly a vector of viruses and malicious hacks.

If you want more details on this, including links to other essays, see my explanatory bounce text, as cited above.

The US-CERT has warned that people shouldn’t open unexpected Word documents in email.  As general policy, they actually warn not to open email with attachments such as Word documents appearing to be from people you know.  This is because malicious software may have infected an acquaintance’s machine and is sending you something infected, or the return address is faked—it may not be from the user you think!

If there was a mad bomber sending out explosives in packages, and you got a box with your Aunt Sally’s name on it, would you possibly pause before opening it?  Most people would, but inexplicably, those same people exhibit no hesitation in opening Word documents (and other executable content), thereby endangering their own machines—and often everyone in the same enterprise.

There is almost no reason to email Word documents!!  They certainly should be used in email FAR LESS than they currently are.

If you need to send a simple memo or note in email, use plain text (or RichText or even HTML).  It is more likely to be readable on most kinds of platform, is compact, and is not capable of carrying a malicious payload.

If you need to send something out that has special formatting or images, consider PDF.  It may not be 100% safe (although I know of no current vulnerabilities), but it is historically far safer than Word is or has been.  Putting it as an image or PDF on a local WWW site and mailing the URL is also reasonable.

If you must send Word documents back and forth (and there are other word processing systems than Word, btw), then consider sending plain RTF.  Or arrange a protocol so all parties know what is being sent and received, and be sure to use an up-to-date antivirus scanner!  (See the CERT recommendations.)

The new version of Word 2007 uses XML for encoding, and this promises to be safer than the current format.  That remains to be seen, of course.  And it may be quite some time before it is installed and commonplace on enough machines to make a difference.

You can help make the community safer—stop sending Word messages in email, and consider bouncing back any email sent to you in Word!  If enough of us do it, we might actually be able to make the Internet a little bit safer.

An additional note

So, what do I use for word processing?  For years, I have used TeX/LaTeX for papers.  Before that I also used troff on Unix.  I have used FrameMaker on both Mac and Unix, and wrote several books (including all three editions of Practical Unix Security et al.) with it.  I used ClarisWorks on the Mac for some years, and now use Apple’s Pages for many of my papers and documents.

I have installed and used Word under two extraordinary circumstances.  Once was for a large project proposal I was leading across 5 universities where there was no other good common alternative that we could all use—or that everyone was willing to use.  The second case was when I was on the PITAC and was heavily involved in producing the Cyber Security report.

However, I am back to using Pages on the Mac (which can import RTF and, I am told, Word), and LaTeX.  I’ve written over 100 professional articles, 5 books, and I don’t know how many memos and letters, and I have avoided Word.  It can be done.

Note that I have nothing against Microsoft, per se.  However, I am against getting locked into any single solution, and I am especially troubled at the long history of vulnerabilities in Word…which are continuing to occur after years and years of problems.  That is not a good record for the future.

[posted with ecto]