The InfoSec Blog
11Jan/13

Another Java bug: Disable the java setting in your browser

http://www.kb.cert.org/vuls/id/625617

Java 7 Update 10 and earlier contain an unspecified vulnerability
that can allow a remote, unauthenticated attacker to execute arbitrary
code on a vulnerable system.
By convincing a user to visit a specially crafted HTML document,
a remote attacker may be able to execute arbitrary code on a vulnerable
system.

Well, yes .... but.

Image representing XMind as depicted in CrunchBase

Are we fighting a loosing battle?
The New York Times is saying out loud what many of us (see Vmyths.com and Rob Rosenberger have known in our hearts for a long time. AV products don't work.

Once upon a time, the germ Theory of Disease was treated with disdain despite evidence:

Despite various publications of results where hand-washing reduced
mortality to below 1%, Semmelweis's observations conflicted with the
established scientific and medical opinions of the time and his ideas
were rejected by the medical community. Some doctors were offended at
the suggestion that they should wash their hands

Yes, analogies are flawed and limited.  All analogies break down if taken to their limits or examined by experts But analogies are useful in quickly conveying a very basic level of understanding to people who are neither medical professionals nor technology / security professionals.

Take "Joe Sixpack" for example, a regular, non-medical, non-technical computer user. The one who bought his computer at Wal-mart. You know, the one with the password that's in the top 10 most common and hasn't changed it since he bought the machine. And lets face it, he doesn't know the difference between a virus, a microbe and a bacteria. When he falls ill he's come down with a "bug". His computer has "bugs" as well.

Perhaps its not simply the case that Joe Sixpack takes offence at the idea that there are some sites he should not visit, that some of his favourite - cough, cough - sites are sources of malware infections, even if he does disable the aggressive pop-ups they use. But lets face it, there are many egregious practices Joe Sixpack engages in, most notably that of getting drunk and driving. The statistics for DUI on Friday and Saturday nights are horrific and have been for a long time.

Good risk management practice involves many factors, the cost of the risk and how easy it is to mitigate it.

This one is easy to mitigate, but there are still going to be end users who have very specific web-based applications. After all, the pressure is on to move to web based applications to support netbooks, tablets and smartphones. Then there's Chromebooks.

It seems that Microsoft, Google, Amazon and others see connectivity and web based applications and storage as the future; after all, popular tablets like the Nexus 7 don't have a SD card slot!  Amazon and others have clearly adopted "Software as a Service" approach.

On top of this, I'm beginning to see articles on-line about the "security of the cloud" and how supplies and service organizations can't offer an adequate level of security.

I think its going to get worse before it gets better. Like so many things in public life, its going to take a few disasters, perhaps even loss of life, before people wise up. Maybe not even then; the statistics on DUI mortality aren't hopeful either. Its been a long and slow battle.

In many ways, AV products are a form of religion, a cargo-cult.  But that's a subject for another article.

Enhanced by Zemanta

Posted by Anton Aylward

Comments (1) Trackbacks (0)
  1. I’m afraid I don’t understand this blog entry.

    It starts by highlighting a US-CERT vulnerability note, and observes as well that Java is pervasive, and that one needs to be careful about disabling java. But then, the US-CERT advice is ‘we are currently unaware of a practical solution’ and suggests disabling java in a browser as a workaround. This seems correct and valid advice.

    It goes on to ask ‘are we fighting a losing battle?’ I’m not sure what the reference to AV products means, as no product has been mentioned to date. I don’t get the digression into ‘bugs’. The observation seems to be that both technical and novice users may have bad habits, which is of course correct but hardly novel.

    The next turn is more interesting. It points out that we are increasingly dependent upon web based systems, and so disabling java in a browser is having increasing impact upon user activity. This is important, I think, but equally important is that we are blurring the ‘my computer, your service’ model — we are increasingly dependent upon external providers for *all* resources, not just external data. This has a profound impact upon the trusted path, and should call into question all risk assessment evaluation; increasingly, we are not able to mitigate risk, but depend upon risk transference — while at the same time these players treat security as externalities, and do not accept the transferal of risk. It is a puzzle.

    But I guess I don’t understand the subject of this article.


Leave a comment

No trackbacks yet.