Other Types of Attacks

By Larry Seltzer  |  Posted 2008-11-18 Print this article Print


Frederick Doyle, director of vulnerability operations at iSight Partners, argues that exploit writers for third-party controls could, on entry, asses their environment, such as the browser and operating system, perhaps even the security context, and proceed based on that information. It's not unlike a lot of JavaScript for Web pages that branches based on the useragent string.

But for many vulnerabilities no accommodations are necessary. Doyle said, "Code developed by iSight Partners Labs that exploited the recent Adobe printf vulnerability successfully triggered in both the IE and FF Adobe plug-ins, as well as Adobe reader and Adobe Acrobat."

It's not exactly the same thing, but I think it's worth mentioning that many social engineering tricks unrelated to vulnerabilities in any program are just as applicable to users of any browser. One popular trick these days is the fake news or some other content site pitched through spam. This example used supposed video of U.S. soldiers fighting in Iran. This one, from the day after the election, supposedly led to election results. In both cases they led to a Trojan horse program.

Often users are told they have to update their Flash viewer or some other viewer program to view the content, and are led to a download for that. Of course they often do carry out the download. Tip: If you want to update Flash, go to the Adobe site to do so.

Another factor that often comes up in these discussions is the difference in user bases for the browsers. IE is the great default, the browser for which any respectable exploit must work, because it has overwhelming market share. The only other browser with noticeable market share is Firefox; you hear numbers up to maybe 20 percent.

We're just stereotyping here, but it makes sense that Firefox users are more likely to be technically sophisticated and appreciative of security concerns. Such users are more likely to update their software religiously, more likely to recognize a scam site when they see it, less likely to fall for a fake error message. But these people push other, less sophisticated users to run Firefox as well; with browser share numbers of 20 percent, clearly there are a lot of novices running Firefox. So perhaps the percentage of users being exploited through third-party controls is larger for IE, but it should be above zero and rising for Firefox.

There are also tools to help Firefox users protect themselves, such as NoScript. I get in fights every time I say this, but I think it's not practical to use NoScript for everyday browsing, especially for a novice. But that's secondary to the main issue. Most Firefox users aren't using NoScript.

With Microsoft and Adobe both doing a better job of fighting vulnerabilities in their own products, it's not surprising, as the Microsoft Security Intelligence Report also finds, that vulnerabilities in software across the industry are declining. This is why social engineering and malware are becoming the real problems. But in the meantime, it makes sense that some of our longstanding biases about product security are not as correct as they might have been at one time.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel