Why Counting Flaws is Flawed — Krebs on Security

Why Counting Flaws is Flawed — Krebs on Security.

Krebs calls into question Bit9′s “Dirty Dozen” Top Vulnerable Application List which placed Google’s Chrome as number one. The key issue is that categorizing vulnerabilities simply by severity creates a misleading picture.

Certainly severity is an important criteria, but does not equal risk. Krebs highlights several additional factors which affect risk level:

  • Was the vulnerability discovered in-house — or was the vendor first alerted to the flaw by external researchers (or attackers)?
  • How long after being initially notified or discovering the flaw did it take each vendor to fix the problem?
  • Which products had the broadest window of vulnerability, from notification to patch?
  • How many of the vulnerabilities were exploitable using code that was publicly available at the time the vendor patched the problem?
  • How many of the vulnerabilities were being actively exploited at the time the vendor issued a patch?
  • Which vendors make use of auto-update capabilities? For those vendors that include auto-update capabilities, how long does it take “n” percentage of customers to be updated to the latest, patched version?

When taking these factors into consideration, Krebs opines that Adobe comes in first, second, and third!!

Microsoft: ‘Unprecedented Wave of Java Exploitation’ — Krebs on Security

Microsoft: ‘Unprecedented Wave of Java Exploitation’ — Krebs on Security.

Microsoft is confirming a huge increase in attacks against Java vulnerabilities. Why is this important? Java is installed on the majority of the world’s desktop computers.  In fact, the attack volume on Java dwarfs that of Adobe, which is saying something. Java may not be quite as ubiquitous as Adobe, but it’s close. For example, Java is required for Webex and GoToMeeting, the two most popular web meeting applications. To get an idea of the Java to Adobe proportion, see the graph below, courtesy of Microsoft via Krebs on Security.

According to Microsoft, the spike in the third quarter of 2010 is primarily driven by attacks on three Java vulnerabilities that have already been patched for some time now. Even so, attacks against these flaws have “gone from hundreds of thousands per quarter to millions.

Krebs claims the reason for this spike is the inclusion of Java exploits in the commercial crimeware kits sold in the hacker underground.

Java surely falls into that set of PC applications which must be kept up-to-date.

Only one way to block ‘Flash cookies’

While browsers now give you total control of standard “cookies,” Flash cookies are another matter. Woody Leonhard at Infoworld writes about the only way to control Flash cookies in his article, Block ‘Flash Cookies’ to thwart zombies. Hint: you have to go to the Adobe Flash Player Settings Manager site.

The attack of the Cookie monsters

This past Friday, the Wall Street Journal wrote an extensive article on the “nefarious” techniques web content sites use to help monetize their mostly free content. WSJ calls it “spying.” It implies that users are unaware that its happening and are helpless to do anything about.

First, if you read the WSJ or this blog, you are no longer unaware. Second, most browsers provide tools to protect your privacy while you are browsing and to delete the “cookies.” Third, since most people are unwilling to pay anything for content, the content providers have little choice but to monetize via advertising. In order achieve reasonable rates, advertisers want to be able to target their ads. Fourth, I believe that most people are OK with the trade-off – free content in exchange for giving up their privacy. If you are not OK with the exchange, see the second point above.

For the most part, I agree with Jeff Jarvis, who takes the Wall St. Journal to task in his post, Cookie Madness.

On the other hand, Wired reported earlier in the week that a lawsuit was filed against Quantcast, a subsidiary of MTV, which allegedly “violated federal computer intrusion law by secretly using storage in Adobe’s Flash player to re-create cookies deleted by users.”

The Wired article goes on to say,

Unlike traditional browser cookies, Flash cookies are relatively unknown to web users, and they are not controlled through the cookie privacy controls in a browser. That means even if a user thinks they have cleared their computer of tracking objects, they most likely have not.

Quantcast claims it stopped using this technique last August 2009 after Wired had first brought this technique to light.