The fine line Between Security and Usability
Update : It seems that there is more than the normal amount of criticism being generated from the following article. If you find yourself in that position after reading it, why not read this followup, which explains many of the points that readers seem to be finding objectionable.
Finding the right balance between security and usability is difficult for any software developer. Recently a set of issues were disclosed where it was apparent that Microsoft had worsened the security situation for their users based on the software provided with Windows, or based on their response to reported problems.
Whether it is Microsoft's desire to make computing as simple as possible for the masses, or whether it is a simple question of economic terms, the inclusion of the affected Macrovision DLL on Windows XP and 2003 could be interpreted as both. If Microsoft hadn't included it, then there would be many users confused as to why their software wasn't quite working as expected, and why a newly purchased game was seeking to install core system components. On the other hand, by providing the software, it means that there are millions of business systems that will never see gaming software installed, and which have no need for this particular anti-copying measure. In this instance, Microsoft identified and issued a patch before there was too much of a problem.
On the other hand, predictable (pseudo)random number generation isn't something that most people would encounter on a routine basis, but it can have real world effects when systems rely upon that number generation to determine how network responses should be sequenced. While this was one of the patches issued by Microsoft with the November release cycle, it should be noted that numerous sources were carrying information about the predictability of number generation before the patches were released. Not only this, but Apple's Security Update 2007-008 / OS X 10.4.11 release that came out in the same week included an update for BIND that addressed a similar-looking weak (pseudo)random number generation issue. While it may have just been coincidental, it is interesting to see two major software vendors provide updates for very similar DNS server problems for two different DNS server products in the same approximate timeframe.
Another issue which came to light last week may pose more of a problem for business and home users, especially given that Microsoft acknowledged to the discoverer that they would not be patching the remote code execution vulnerability that he had reported -
"Microsoft replied me that they would not fix this vulnerability, it looks like they will not acknowledge vulnerabilities which are from .mdb file".
Microsoft's response points to a Knowledge Base article which merely leads to a list of filetypes that are considered 'unsafe' by different Microsoft products. It doesn't actually indicate that the filetype should no longer be used by end users or that Microsoft will not be supporting the filetype anymore.
As far as JET .mdb files go, it seems that Microsoft has deprecated the technology somewhat, but it still continues to be supported by the latest versions of Access (Access 2007).
Not every application in use can or will be updated to the Microsoft Desktop Engine (MSDE) or SQL Server 2005 Express Edition / SQL Server 2005 Compact Edition, so there are going to be plenty of viable targets where exploits can find traction.
Probably the biggest defensive measure against widespread attack of this vulnerability is the requirement to get a malicious .mdb file onto the target system and then executed through the JET engine. As ruder points out, some web servers could be at risk if users upload a malicious .asp / .mdb file and then execute it via calls to "ADODB.Connection".
Unfortunately for Access users, this is just one of several arbitrary execution problems affecting the .mdb file format that may never get fixed by the vendor (the linked one is from 2005 and may be related).
While vendors do have to draw the line somewhere with the filetypes and application versions that they will continue to support, refusing to provide security related fixes for serious vulnerabilities is a failure of their duty of care to their users.
Update : Did the above angry up your blood? Then the following might help.
19 November 2007
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.