Silicon Shecky

Infosec Practitioner

Connect

Overhype:Flu Vs. IT

By Leave a Comment

Keeping up in the IT world, you come across all sorts of interesting things. You also start seeing patterns that can almost be seen as a microcosm to the rest of the world. With all the focus on Swine Flu lately, you can see some similarities between the way it is being presented and say, Cornficker.

Swine Flu is still making headlines, while Cornficker has done exactly what I figured. It feel from the spotlight, and it fell hard. So hard that the FBI complained about the over-hype and problems that the over-hype caused. Now we are seeing that exact same over-hype with the whole Swine Flu health issue, but no one will ever say it was over-hyped. Cornficker, by the way, has one variant that is about the self destruct, while most of the others have been turning into spam-bots, creating a very large botnet.

The Swine Flu is a nasty illness, but it is being called an epidemic, when in reality such a small portion of people are getting it, and an extremely small amount are dying from it. Yes it is nasty, and yes it needs to be fought, but it doesn’t seem to be any more widespread than any other influenza, just a strain that is more rare.

So one has to wonder, with the latest Zero-Day Adobe Exploit, what we are doing about it. The answer is nothing. People are supposedly waiting for the patch for the newest exploit, yet they still haven’t applied the patches for the prior exploit. Mind you, these things get no press, even though they can be just as dangerous as anything else out there.

Yes, you should test patches before deploying them, but you need to have a plan and a time frame that is not insanely long for a decision. The patches for exploits out in the wild (zero-day) should be deployed as fast as possible. It is simple common sense.

Of course, common sense isn’t so common anymore. Just look at the plan on the Swine Flu “epidemic”.  It consists of scaring everyone to death, hurting the economy because of travel bans, and basically hyping the hell out of it until we become complacent and don’t even listen to the people who are basically crying wolf constantly about it.

Hype can be good, but in this day and age, we over-hype so much so fast that I have to wonder, “What are we thinking?”

Zero-Day Exploit: A Tale of Two Companies

By Leave a Comment

It is interesting watching how different companies look at patches, and security holes. It is more interesting to see one giant seem to fail at prompt patching for a Zero-Day exploit, while another gives a basic time frame and is pretty much right on as far as when the fix will be out. Of Course the two companies I am talking about are Adobe, and Microsoft.

Adobe released the patch for the JavaScript Vulnerability in all of its Acrobat products this past week. They had said they would have patches out by the 18th, when the flaw was pointed out by Symantec back in February. That is pretty prompt if you ask me. They acknowledge a serious flaw, say when they hope to have a patch available to close it, and then hit that time frame.

The fact of the matter is a great many pieces of software, both closed and open source, take these flaws and vulnerabilities seriously, and are very prompt in patching the holes. Yeah you hear Opens Source people talk about how much quicker they are able to patch things, but they tend to refer to Microsoft, and don’t think about all the other companies out there.

That does bring us to case 2, which just happens to be Microsoft. Back in January, a Zero-Day exploit in Excel was found. Now if a flaw like this had been found in Internet Explorer or Windows, we might have a patch for it already, probably released Out Of Band (not on the normal patch Tuesday every month). Instead, with it only being Excel, we are nearing the end of March, and still no patch for it. Now mind you this exploit was found a month before the Adobe one. Last I check, Excel was a very popular program, used by a lot of individuals and companies. Yet, Microsoft still has no patch for it.

Sure you can say that Excel is a complex program, but so is every program out there in this day and age. Sure you can say that Microsoft is working on it, except I haven’t heard anything about a patch from Microsoft. No expected time frame on getting a patch out, no nothing. Yes, this is the sort of thing the Open Source people feed on, and I can’t blame them.

I use both Microsoft, and Open Source software, so don’t think I’m bashing something I don’t use. Microsoft as a company has come a long way in their patch management, but they still have a long long way to go. Then again so does Linux, but that will be an editorial for another day.

I just want to know that I’m not going to have to deal with clients who get hit by the Excel exploit. Please get us our patch.