Security's Everyman

Security's Everyman

Friday, January 05, 2007

Too many cooks spoils the broth

Brian Krebs over at Security Fix wrote a really good piece on the Adobe flaw that opens up pretty much anyone to a XSS attack if they use Adobe and have java script enabled. That pretty much covers about 99.9% of computer users. The really scary thing is that you don't have to go to a bad web site, you don't have to do much except open a pdf from a web site. The good news is that it looks like you do have to click on a "specially crafted link" in order to pass the commands to java, but the link could be from a supposedly trusted site itself. Brian give a good overview of it in his article. There is also good news in that the problem is not in version 8 of Adobe and that there are other options beyond completely disabling java and never viewing .pdfs on the web. Again, Brian gives some good advice regarding this.

My beef with this is that once again we see software vendors loading their software down with features that are completely unnecessary. They put in more bells and whistles to lure customers to upgrade because of all the "cool" new features. Why do we need all these "new" features? Why can't we just get by with what we already have. 99% of software users never use the features that were included in versions that were released 5 years ago. Why do we need new ones that won't be used either?

I understand that there are "niche" markets where these features are used and that the software vendors need to give their customers what they want and need, but why can't these things be "after market" add-ons that are available to download or install from the CD. Just like there has been a push for hardware vendors to ship there stuff with security enabled by default there should be a push for software vendors to ship there code in the most secure way. We all know that the more you add and the more complex you make something the harder it is to secure. We as security professionals have to make a lot of noise about such things so that the vendors will get the message. We also have to go one step further and make everyone we know aware of such issues and encourage them to let the vendors know their feelings. We can't continue to allow unnecessary convenience and our desire to have the "latest and greatest" of something make us less secure. Our lives depend too much on computers and technology to continue producing insecure products.

1 comment:

cdman83 said...

As a software vendor (which I'm not :)) my thoughts on distributing optional add-on packs would be: if I don't provide all the features at once, it can be a real pain in the lower end: if the client wants to use the specified feature, s/he must take additional actions the first time. S/he might not have the proper privileges to do this (for example in a corporate environment). This results in additional help-desk time. If I (the software vendor) want to make the new feature useful I already have to battle the fact that there are clients who don't update to the latest version. Do I need an additional headache worrying about different possible setups of my application?

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.