[ISN] Security claims asking for trouble

InfoSec News isn at c4i.org
Wed Jun 8 05:04:32 EDT 2005


By Patrick Gray
June 7, 2005

Two words that should never pass the lips of a software vendor are
"it's secure", says Symantec's Dave Ahmad. Such statements draw the
undivided attention of the world's security researchers, eager to poke
holes in vendor grandstanding by finding security glitches in software
touted as unbreakable.

As the moderator of the Bugtraq security mailing list for the past
four years, Mr Ahmad has seen his fair share of security vulnerability
advisories. A free email subscription to Bugtraq has become a
must-have for IT security consultants, managers, vendors, researchers
and students alike.

Software vendors use Bugtraq to disclose vulnerabilities - which can
be used by hackers to break into computers using the software - and
security researchers share findings and collaborate on the list.

After four years on the job, Mr Ahmad, who is based in Calgary,
Canada, has come to appreciate that hyping software as a safer
substitute to products having a bad run with security flaws may not be
the best way to grab market share.

"When systems are touted as a secure alternative to the mainstream,
that attracts (security) researchers," he says. "It's that hacker
instinct: to go against the norm, to attack assumptions."

Recent examples cited by Mr Ahmad are the open source Mozilla Firefox
browser, described by some as a secure alternative to Internet
Explorer, and Apple's flagship operating system, OS X, an alternative
to Microsoft's Windows. The image of both Firefox and OS X as
completely secure software has been eroded in recent months, with
security researchers disclosing vulnerabilities in the browser and
operating system software.

Mr Ahmad, 25, first joined the company that maintains Bugtraq,
SecurityFocus, at 18 to maintain the company's vulnerability database.  
He took over Bugtraq in September 2001 and has been running it ever
since. SecurityFocus, an operator of an early-warning system and
web-portal, as well as the Bugtraq mailing list and vulnerability
database, was acquired in 2002 by security software maker Symantec.

He's seen a lot of change in his time running Bugtraq. For example,
vendors are more responsive to security concerns.

"Microsoft has got better. The open source community has got better,"  
Mr Ahmad says. "Even vendors like Oracle, who I don't think are the
best right now, have been pressured by high-profile researchers . . .  
into reacting a little more quickly."

However, according to Mr Ahmad, the recent downturn in the number of
serious security vulnerabilities disclosed to the wider community
comes not from increased product security, but an increasingly
secretive research community. "In the last year or so there just
haven't been those high-profile vulnerabilities," he says. "A lot of
the good vulnerability researchers have stopped disclosing their

More and more, security companies are selling their vulnerability
data, Mr Ahmad says. "They're keeping their vulnerabilities private
and charging a subscription fee," he says. "Now that vulnerabilities
have a value, they're worth something, people will pay for them,
there's a motivation to keep them private."

Even the bugs themselves have changed with time, Mr Ahmad says.  
Sometimes a breakthrough in security research will lead to a flood of
vulnerabilities being disclosed. Technical methods for manipulating
the memory "heap" on several operating systems, for example, were
widely published in hacker magazines such as Phrack, Mr Ahmad says.  
That led to an onslaught of heap-related vulnerabilities being
disclosed that were previously thought to be non-critical. "The level
of sophistication is incredible now," he says.

At the CanSecWest security conference held in May in Canada, Mr Ahmad
was impressed by a presentation by US-based IT security outfit eEye
Digital Security. The company's consultants demonstrated the
exploitation of a kernel vulnerability in Windows, a glitch
traditionally thought too difficult to use practically to compromise a
computer system.

"A few years ago it was inconceivable that this could be done, but
we're pushing the limits because a lot of the low hanging fruit has
been picked," Mr Ahmad says.

More information about the ISN mailing list