Sensible Trips
There’s yet another exploit out and doing the rounds. Todays lucky victim is Internet Explorer. It’s a zero-day exploit, meaning no one knew this vulnerability existed until they found it attacking people yesterday. I would like to reprise the article I did last week, Behave Sensibly, where I criticized as lame the standard advice our industry dishes out to end users to protect themselves from threats on the internet.
That advice was:
(i) Use anti virus & anti malware.
(ii) Stay patched.
(iii) Behave sensibly.
Using the light of that advice, let’s examine todays attack as described in the the ZDNET Blog of Ryan Naraine and Dancho Danchev ‘Microsoft warns of new zero day attacks.’
First up, as already pointed out, it’s a zero day attack. Therefore there is no patch. According to Tipping Point research, on average it took Microsoft 100 days to patch something (once they accepted the need for a patch) in 2009. So it will likely stay unpatched for days or weeks.
Second up, there are no virus signatures yet. Cyveillance research shows 30 days from now there is a good chance your virus vendor still won’t have full signatures. Only an 8% chance if you run Kaspersky, but a 53% chance if you run Symantec, 14% if McAfee, 15% if Sophos, 62% if Trend.
Third, read these two quotes carefully;
“… a link to a specific page hosted on an otherwise legitimate website.”
“Visitors who were served the exploit page didn’t realize it, but went on to download and run a piece of malware on their computer without any interaction at all.”
To summarize; you browse to a legitimate web site and become infected without indication of any kind, even though you’re fully patched and running all the virus protection you can buy. Without a patch or signature we’re left with the advice to behave sensibly. Todays attack shines a bright light on how lame this advice truly is.
At the bottom of the article Naraine summarizes the real actions that need to be taken if you want protection from this attack. It involves some technical know how in disabling various functions of your browser and email. What isn’t discussed is what impact disabling these things will have on your browser function. Will your web based CRM work with all this turned off? Will you be able to do your internet banking, make web based superannuation payments or pay the tax office on-line with these things turned off? I don’t have the answer to these questions.
There are serious threats on the internet today. They need more than platitudes or blame dressed up as advice. We could start by shrinking 100 day patch cycles or shipping anti virus technologies that protect within hours or days - not weeks. We could stop issuing butt covering or lame types of advice. Our problems will be solved by quality engineering with persistent resolve, not quality PR and well funded media releases.
The days of shipping software code that is ‘good enough’, but not right are coming to a close. It’s time to do it better.
Comments
Post new comment