Both ZDNet and IIS Resources are reporting a newly discovered “worm hole” in Windows 2000, one for which they say there is no work-around. According to the reports, the Windows security company eEye discovered the flaw this week, indicating that the flaw was in a core component which was on by default, and could not be switched off.
Said Marc Maiffret, Chief Hacking Officer (now there’s an interesting title) for eEye, “You can’t turn this (vulnerable) component off. It’s always on. You can’t disable it. You can’t uninstall.”
In keeping with eEye’s stated policy, they are not releasing further information about the flaw until a fix is available, presumably so as to not facilitate exploitation of the flaw.
Crawling around eEye’s site, however, does provide some interesting information, and gives rise to some interesting questions. eEye’s offerings to the public include security products with cute names like Retina, Blink, and Iris. Many of their products are aimed directly at Windows protection and issues, and eEye is hardly alone in that field. But eEye seems to have taken to a new level not only protecting users from malicious attackers, but protecting users from problems with Windows itself. “eEye Digital Security is a leading vulnerability management software developer with a unique approach to enterprise security – eliminate vulnerabilities, rather than just thwart attacks,” says the eEye home page. And just last week they announced “protection for an unpatched MS IE flaw”.
The questions this raises include: what does this say about what consumers expect in terms of the security of a product they buy, out of the box? Have we as an Internet nation become accustomed to, accepting of, even complacent about products which somehow put us at risk but which we nonetheless continue to buy? (This is not a slam at Microsoft, lots of products suffer from these same issues.)
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
But perhaps most interesting to me is the concept of building a business model out of cleaning up someone else’s mess – and having it be a viable business model. Should consumers pay for 3rd-party mess cleaning? Should they have to? Should the mess-maker clean it up? Is this a voluntary or involuntary symbiotic relationship?
What do you guys think?
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
eEye has made some pretty strong claims, but the article seems to say that they only go so far.
I am using OSsurance Desktop, which protects against all buffer overflow vulnerabilities by detecting overflows and refusing to run the code. OS Security also combined in the program refusal to run any program that the user does not add to a white list voluntarily and the function of detecting and refusing substituted dll’s (proxy attacks) as well as programs that self-modify on the way from the hard disk to ram.
I would like to see this article rewritten with awareness of OSsurance. There is a great (and by some miracle, objective) review at
http://kareldjag.over-blog.com/article-498061.html
Also, the main reason I tried OSsurance and bought it, was this press release from them, which is aimed at Firefox, but if you extend the logic, is really about all of Windows.
Anyway, the upshot of this whole discussion is that by using OSsurance I don’t feel the need to ever consider any specific vulnerability or download any “critical patch” (ooo, scary).
For the last two months I have seen OSsurance stop various attacks on my system and the guy on the overblog site above seems to have thrown everything at OSD that he can.
So there.
This goes along with what many of us have been saying for years- fix the code BEFORE adding any new features. Hopefully someday they’ll get it…
Having a second pair of eyes (forgive the pun) looking at code, documentation, published material, etc. is always a benefit. That’s why there are editors. Perhaps Microsoft, and other software publishers would do their customers a great service if they were to hire firms like eEye BEFORE releasing their product for beta testing. Imagine that, an O/S released and no security flaws. Perhaps Microsoft can devote their time between O/S releases to develop something truly innovative rather than constantly putting out fires.