How Many Monocultures Make Up a Polyculture?

 
 
By Larry Seltzer  |  Posted 2007-09-26 Print this article Print
 
 
 
 
 
 
 

Opinion: Windows isn't the only software almost everyone uses. Look for some others to attract attack soon, with Adobe's PDF files at the top of the list.

Probably the best intellectual argument against the dominance of Windows in the market is the "monoculture" argument. This idea states when a high percentage of users are using the same platform, the population of users is too vulnerable to attacks on that platform. Windows is basically as dominant as ever, but a number of other monocultures have sprung up with their own vulnerability issues. Like Windows, they are attracting extra attention from vulnerability research and even exploit development. In a way, its a sign of maturity.

The obvious leader for a new monoculture is PDF, the document format of Adobe Acrobat. Security vulnerabilities in Acrobat are nothing new (heres one from 1997), but there has been a lot of action lately in this space, and Adobes record on handling the problems is less than stellar.

Low-cost alternatives to Acrobat could give you some security cover and have you PDFing cheap. Click here to read more.

The most recent stink was raised by a researcher named Gnucitizen. I generally dont like hysteria-raising, but his claim of another serious vulnerability in Acrobat is worthy of attention, even if he hasnt backed up any of his claims yet. Hes found several vulnerabilities in the past along these same lines, and there have been many PDF vulnerabilities over the last few years. Heres Gnucitizens recent demonstration of code execution by opening a PDF.

PDF is perhaps the perfect next step for targeted attackers looking for an edge as Microsoft Office gets harder to attack. PDF files are highly trusted and the format of choice for important documents. Its strong support for digital signatures gives it business in fields such as digital notarization.

After years of abuse, users are perhaps leery of e-mailed Microsoft Office documents, and everyones security software scans these files. Support for PDF scanning is not as widespread, although there are products, such as Secure Computings WebWasher, that scan PDFs at the gateway with an eye for exploits.

What Adobe has in common with Microsoft is a piling on of features into PDF in recent years without sufficient consideration of security issues. Consider Javascript, which can be embedded in PDFs to add functionality such as popup windows and form validation and is on by default. I imagine there are legitimate applications of Javascript out there, but Im sure theyre rare. In the meantime, it is the focus of many of the recent PDF vulnerabilities. If theres a way to turn off Javascript in Acrobat Reader as a matter of network policy, I havent found it. Please let me know if its possible.

On the other hand, there are many third-party PDF readers, and its reasonable to assume that many, if not most, PDF vulnerabilities are actually vulnerabilities in Acrobat and Acrobat Reader rather than generic to all programs that support the format.

PDF, of course, is not alone in forming its own monoculture. Adobes Flash is another good candidate, and there has been no shortage of Flash vulnerabilities over the years. I have heard of real exploits, but they are rare.

Another platform that is universal enough to qualify for a monocultural attack is Java. Theyre not very high profile, but Ive seen trojaned Web sites that try, among many other vulnerabilities, to exploit Java holes to compromise the system. Just yesterday Sun announced a series of measures to strengthen its security response for Java.

The last great monoculture setting up for attacks is Google. Numerous vulnerabilites in Google software have been reported recently.

I get the sense that the velocity of vulnerability development on Windows has flattened out. All the real innovation seems to be in social engineering, although at the cost of some complex development there are good opportunities for targeted attacks through device drivers. The alternative monocultures present an inviting opportunity for attackers. Look for them to be more in the news soon.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers blog Cheap Hack
 
 
 
 
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel