Page Content

2007: The year of the 9,999 vulnerabilities?


A look at the National Vulnerability Database statistics will reveal that the number of vulnerabilities found yearly has greatly increased since 2003:


Average yearly increase (including the 2002-2003 decline): 48%

6605*1.48= 9775

So, that’s not quite 9999, but fairly close.  There’s enough variance that hitting 9999 in 2007 seems a plausible event.  If not in 2007, then it seems likely that we’ll hit 9999 in 2008.  So, what does it matter?

MITRE’s CVE effort uses a numbering scheme for vulnerabilities that can accomodate only 9999 vulnerabilities:  CVE-YEAR-XXXX.  Many products and vulnerability databases that are CVE-compatible (e.g., my own Cassandra service, CIRDB, etc…) use a field of fixed size just big enough for that format.  We’re facing a problem similar, although much smaller in scope, to the year-2000 overflow.  When the board of editors of the CVE was formed, the total number of vulnerabilities known, not those found yearly, was in the hundreds.  A yearly number of 9999 seemed astronomical;  I’m sure that anyone who would have brought up that as a concern back then would have been laughed at.  I felt at the time that it would take a security apocalypse to reach that.  Yet there we are, and a fair warning to everyone using or developing CVE-compatible products.

Kudos to the National Vulnerability Database and the MITRE CVE teams for keeping up under the onslaught.  I’m impressed.

Interesting reading


[tags]Microsoft Vista, DRM[/tags]

Peter Gutmann, a scientist at the University of Auckland, has recently written an essay about DRM (Digital Rights Management) in the new Windows Vista OS.  The essay is quite interesting, and is certainly thought-provoking.  His “Executive Executive Summary” is very quotable:

The Vista Content Protection specification could very well constitute the longest suicide note in history.

Well worth reading and thinking about—I suggest you take a look.

PHPSecInfo: New release (0.1.2), new plans


First off, a new build of PHPSecInfo is out: Version 0.1.2, build 20061218. Here’s what’s new:

  • Code is now licensed under “New BSD” license. See LICENSE

  • Added PhpSecInfo_Test_Core_Allow_Url_Include to test for allow_url_include in PHP5.2 and above

  • fix bug in post_max_size check where upload_max_size value was being checked

  • change curl file_support test to recommend upgrading to newest version of PHP rather than disabling support in cURL for ‘file://’ protocol

  • removed =& calls that force pass by reference in PHP4, so as to not throw PHP5 STRICT notices. It means passing objects by value in PHP4, but this seems acceptable for our purposes (memory usage isn’t terribly high).

  • Fixed bug in PhpSecInfo_Test_Session_Use_Trans_Sid where wrong ini key was requested (Thanks Mark Wallert)

  • New, detailed README file with explanations and basic usage instructions - Now providing an md5 hash for releases

Here’s what I’m planning to do in the next few releases:

  1. More detailed test results, including the current and recommended settings
  2. A web-based “glossary” with more details on each test & how to fix problems
  3. More tests!!! I especially need your help with this one!

I’m also going to look into options to reformat the test result structure, so it plays more nicely with templating systems. No promises on how this will go, but we’ll see.


Configuration: the forgotten side of security


I was interviewed for an article, Configuration: the forgotten side of security, about proactive security. I am a big believer in proactive security. However, I do not discount the need for reactive security. In the email interview I stated the following:

I define proactive security as a method of protecting information and resources through proper design and implementation to reduce the need for reactive security measures. In contrast, reactive security is a method of remediation and correction used when your proactive security measures fail. The two are interdependent.

I was specifically asked for best practices on setting up UNIX/Linux systems. My response was to provide some generic goals for configuring systems, which surprisingly made it into the article. I avoided listing specific tasks or steps because those change over time and vary based on the systems used. I have written a security configuration guide or two in my time, so I know how quickly they become out of date. Here are the goals again:

The five basic goals of system configuration:

  1. Build for a specific purpose and only include the bare minimum needed to accomplish the task.
  2. Protect the availability and integrity of data at rest.
  3. Protect the confidentiality and integrity of data in motion.
  4. Disable all unnecessary resources.
  5. Limit and record access to necessary resources.

In all, the most exciting aspect is that I was quoted in an article alongside Prof. Saltzer. That’s good company to have.

Are You Still E-mailing Word documents?


[tags]vulnerabilities,microsoft word, email attachments[/tags]
So far this year, a number of vulnerabilities in Microsoft’s Word have been discovered.  Three critical (“zero day”) vulnerabilities have been discovered—and as yet, unpatched—this month.  (Vulnerability 1, Vulnerability 2, and Vulnerability 3.)  These are hardly the first vulnerabilities reported for Word.  There has actually been quite a history of problems associated with Word documents containing malformed (or maliciously formed) content.

For years now, I have had my mailer configured to reject Word documents when they are sent to me in email and also send back an explanatory “bounce” message.  In part, this is because I have not had Word installed on my system, nor do I normally use it.  As such, Word documents sent to me in email have largely been so much binary noise.  Yes, I could install some converters that do a halfway reasonable job of converting Word documents, or I could install something like OpenOffice to read Word files without installing Word itself, but that would continue to (tacitly) encourage dangerous behavior by my correspondents.

People who send me Word documents tend to get a bounce message that points out that Word:

  1. Is not a document interchange format—it is not designed for document transport
  2. Is not installed on everyone’s machine, nor available for everyone’s machine
  3. Not all versions of Word are compatible with each other
  4. Results in huge, bloated, files for tiny content (such as memos)
  5. And of course, Word is commonly a vector of viruses and malicious hacks.

If you want more details on this, including links to other essays, see my explanatory bounce text, as cited above.

The US-CERT has warned that people shouldn’t open unexpected Word documents in email.  As general policy, they actually warn not to open email with attachments such as Word documents appearing to be from people you know.  This is because malicious software may have infected an acquaintance’s machine and is sending you something infected, or the return address is faked—it may not be from the user you think!

If there was a mad bomber sending out explosives in packages, and you got a box with your Aunt Sally’s name on it, would you possibly pause before opening it?  Most people would, but inexplicably, those same people exhibit no hesitation in opening Word documents (and other executable content), thereby endangering their own machines—and often everyone in the same enterprise.

There is almost no reason to email Word documents!!  They certainly should be used in email FAR LESS than they currently are.

If you need to send a simple memo or note in email, use plain text (or RichText or even HTML).  It is more likely to be readable on most kinds of platform, is compact, and is not capable of carrying a malicious payload.

If you need to send something out that has special formatting or images, consider PDF.  It may not be 100% safe (although I know of no current vulnerabilities), but it is historically far safer than Word is or has been.  Putting it as an image or PDF on a local WWW site and mailing the URL is also reasonable.

If you must send Word documents back and forth (and there are other word processing systems than Word, btw), then consider sending plain RTF.  Or arrange a protocol so all parties know what is being sent and received, and be sure to use an up-to-date antivirus scanner!  (See the CERT recommendations.)

The new version of Word 2007 uses XML for encoding, and this promises to be safer than the current format.  That remains to be seen, of course.  And it may be quite some time before it is installed and commonplace on enough machines to make a difference.

You can help make the community safer—stop sending Word messages in email, and consider bouncing back any email sent to you in Word!  If enough of us do it, we might actually be able to make the Internet a little bit safer.


An additional note

So, what do I use for word processing?  For years, I have used TeX/LaTeX for papers.  Before that I also used troff on Unix.  I have used FrameMaker on both Mac and Unix, and wrote several books (including all three editions of Practical Unix Security et al.) with it.  I used ClarisWorks on the Mac for some years, and now use Apple’s Pages for many of my papers and documents.

I have installed and used Word under two extraordinary circumstances.  Once was for a large project proposal I was leading across 5 universities where there was no other good common alternative that we could all use—or that everyone was willing to use.  The second case was when I was on the PITAC and was heavily involved in producing the Cyber Security report.

However, I am back to using Pages on the Mac (which can import RTF and, I am told, Word), and LaTeX.  I’ve written over 100 professional articles, 5 books, and I don’t know how many memos and letters, and I have avoided Word.  It can be done.

Note that I have nothing against Microsoft, per se.  However, I am against getting locked into any single solution, and I am especially troubled at the long history of vulnerabilities in Word…which are continuing to occur after years and years of problems.  That is not a good record for the future.

[posted with ecto]