Gallery

Keep it simple, stupid

Posted on 16 May 2005 at 10:58

Davey Winder looks at cutting the spam reaching his BlackBerry, while thinking about laptop legs and compromising situations

Firefox FUD Dud

During the weeks prior to writing this column, the web has exploded with FUD (Fear, Uncertainty and Doubt, another useful TLA), thanks to a flaw in Sun's Java Virtual Machine. Affecting JRE and SDK 1.3x/1.4x, this flaw meant that under certain circumstances JavaScript code would be able to both create and transfer objects to untrusted applets. This became a magnet for the spyware-writing community as soon as the flaw was announced. Luckily, Sun Microsystems reacted quickly by issuing a patch and building this into versions from 1.3.1_13 and 1.4.2_06 of both SDK and JRE.

Not that you would notice Sun's response from the acres of screen estate that's been devoted to the problem in the blogs, newsgroups and on many online information sites that really should know better. Reading these then, and even now, you could be forgiven for believing that this is a Firefox problem. It seems the temptation to knock down this rising star, especially when it is advanced by trading on the security weaknesses of Internet Explorer (IE), was too much to resist. Some folk did try to spread the blame by saying that Firefox users were unprotected against a spyware exploit that was an IE flaw (which was equally wrong, of course), but I fear the damage has already been done, given the number of my clients and readers who have been in touch to ask whether they should stop using Firefox.

Let's get one thing straight here: this is not, and never was, a Firefox flaw. Just for the record, it wasn't an IE one either. It is not even OS specific, as Sun has admitted that it could be exploited under Windows, Linux or Solaris. All browsers that make use of Sun's Java plug-in are equally at risk, but only from 'idiot user' syndrome, because in order for the flaw to be exploited a user would have to agree to run unsigned Java applets by way of the bog-standard security dialogs. The fact that such dialogs would only pop up when browsing a certain website, where the original exploit that caused all the fuss in the first place was hosted, should surely be enough of a red flag for all but the most tragically inept. However, it does serve as a good excuse for me to yet again bang on with my 'Don't Click It' message, especially when 'It' comes covered in warnings about being unsigned, unauthorised and potentially harmful.

To which I would also like to add that the only 100 per cent secure web browser, or PC, is one that is not running. Firefox remains my browser of choice, not because it is less likely to be exposed to security flaws in the future, but because the very nature of the open-source community standing behind it, and the relative simplicity of the browser's code, means that those vulnerabilities are likely to be corrected much more quickly than is possible for the much more code-complex IE.

New Threats

At the exact same time as all this Firefox FUD was circulating, I happened to be visiting a client in Marlow and took the opportunity to indulge in a rather pleasant lunch with a couple of chaps from Symantec, to talk about the latest Symantec Internet Security Threat Report. These twice-yearly reports, now in their seventh year, have become something of a landmark for consultants working in the security area, as they have a history of being spot-on when it comes to trend-spotting.

Covering the period from 1 July to 31 December 2004, the latest report not surprisingly confirms that it is your personal data that's the target of most attacks. To quote from the key findings: 'malicious code created to expose confidential information represented 54 per cent of the top 50 malicious code samples received by Symantec, up from 44 per cent in the first six months of the year and 36 per cent in the second half of 2003. This is blamed partially upon the proliferation of trojans, which represented some 33 per cent of the top 50 malicious codes reported to Symantec'. Shockingly, the anti-fraud filter component of Symantec's anti-spam service was blocking 33 million phishing attempts each week in the second half of last year, up from 'just' nine million in the previous six months. That's a 366 per cent rise, and Symantec is in no doubt that the trend will continue on its upward climb this year. Web applications are also on the up: some 48 per cent of all documented vulnerabilities fell into this category, compared with 39 per cent in the first half of the year. These two trends are linked, of course, because web application vulnerability is used to get behind firewalls and to get at personal data once more.