Recently, Microsoft released an updated version of its Malicious Software Removal Tool that, according to reports, removed password-stealing malware from more than 2 million PCs.
Microsoft security fix clobbers 2 million password stealers
To quote Computerworld:
One password stealer, called Taterf, was detected on 700,000 computers in the first day after the update. That's twice as many infections as were spotted during the entire month after Microsoft began detecting the notorious Storm Worm malware last September.
"These are ridiculous numbers of infections my friends, absolutely mind-boggling," wrote Matt McCormack, a spokesman with Microsoft's Malware Response Center...
The password-stealing programs are often installed via Web-based attack code that exploits flaws in multimedia programs such as Adobe's Flash Player or Apple's QuickTime Player...The attacks are often technically sophisticated, exploiting previously undisclosed bugs in Windows software...
Indeed, this is mind-boggling and ridiculous. Mind-boggling that we still consider 2 million infected hosts to be a mind-boggling number (we are now easily into the 10s of millions of infected hosts) and ridiculous that we do not castigate software manufacturers for enabling such highly foreseeable malicious activity via defects in their products. In fact, we seem to be grateful when manufacturers give us free tools to clean up after their mistakes. This stretches the definition of "free" to be sure.
Have we really become that numb to defects in software, so blasé to software manufacturing blunders, that we simply take insecure software as an inevitable and unavoidable reality?
Maybe.
Some in the information security community attempt to blame PC owners for the massive installation of malware like Taterf. Some might even argue that "previously undisclosed bugs" are not even necessary to enable wide spread infections because users can simply be socially engineered (i.e., tricked) into installing malware onto their machines. And some might even have the audacity to state that what we really need is better in-bound malware blocking and application control to inhibit what malware can do once it gets on a PC.
These arguments have some merit, but not nearly enough.
First, stop solely blaming users for the sorry state of cyber security. Are users partly culpable? You bet. "You can't patch stupid," is an accurate, if cynical, remark made by some in the security industry, but such a remark fails to recognize that users no longer need to be "stupid" to become victims anymore.
Case in point, once upon a time, there was a significant likelihood a computer would get infected because of, shall we say, the pursuit of less-upstanding behavior by users, such as visiting porn sites and downloading cracked software. This will always be true and the title of "stupid" should be awarded frequently and copiously to those who engage in such pursuits.
Of late however (2004 forward), many normal and innocuous commercial web sites (like Circuit City's Customer Service site) have been hijacked and infected with exploit code targeted at user's internet browsers, media players, and operating systems. Just by visiting these unknowingly infected web sites, the victim's machine will become infected through no fault of the user (but the fault of the software manufacturer). Because exploits on the hijacked website attack previously undisclosed vulnerabilities on the user's PC (such as in QuickTime, Internet Explorer, Adobe Flash, or Safari) the user's stupidity is moot. Patching is moot. The user is not "stupid" in such cases, the manufacturer is, and so are we for failing to recognize this and failing to stop it.
We have spent decades in the legal profession protecting consumer rights; protecting consumers against blame for damages caused by manufacturing defects that were not the consumers fault. Let us not delay fairness in the Information Age that we did in the Industrial Age. Where users are responsible for their own behavior in cyber space (such as giving up their password to a phishing scam) surely hold users responsible for possible damages (and pursue the cyber criminal if we can). But we can not, should not, must not hold computer users accountable for something that is not their fault: poorly written software. Such responsibility should fall squarely on the shoulders of software manufacturers, but does not.
Remember, users are merely an avenue to the vulnerabilities of software. Simply by surfing the Internet, users are at risk, not through questionable behavior, or even stupid behavior as once was the case, but through normal, innocuous behavior. Users can be tricked by a host of techniques to be sure, but they are tricked for what I believe to be a significant and obvious reason: to exploit defects in the software they use.
Are there other reasons? Sure. It's not just about exploiting vulnerabilities in software, but exploiting vulnerabilities in software is a very powerful incentive otherwise we would not see the type and amount of concentrated research by cyber criminals and nation states into discovering software vulnerabilities. Discovering defects manufacturers failed to detect themselves gives discoverers potentially immense power over millions of systems.
Second, insisting that we need better in-bound malware blocking and application control is yet more of the same technology-centric view of security; that somehow insecure software is a technological phenomenon to be solved by yet more technological phenomena. Can products help to an extent? Yes. But these products are not complements to robust, secure software as seat belts and air bags are complementary to robust, safety-oriented automotive design; security products are counterbalances to the lack of security and software assurance practices of software manufacturers.
Complicating this situation, the security industry does not really sell security, it sells products. Analysts as well as vendors make money from all the gymnastics and prancing in the security industry. Their incentive is to sell; sell products, sell devices, and sell reports about those devices and products. Their incentive is not necessarily to protect you. Their incentive is to sell. Their hope, as well as yours, is that the security products actually work and their efficacy easy to maintain. History is not kind in this regard.
And where are software buyers now because of this? Swamped with products, swamped with appliances, swamped with best practices, swamped with myriad configuration options, swamped with sometimes contradictory and unrealistic compliance requirements, swamped with unending financial expenses, swamped with what to do and how to do it, scrambling for sanity and feeling but dazed and confused.
It is truly mind-boggling and ridiculous.
Comments