Friday, 22 January 2010

Of facts and FUD

I have been waiting for the dust to clear before commenting on the latest round of cyber attacks. Now the spin doctors are speaking up it is time for some perspective.

Microsoft speak is well documented these days. This is the language of marketing. So we hear that we should be using IE8 instead of IE6 (fair enough) but that a move away from IE, to firefox say, will lower your security overall.

This is following the high profile attack on GMail an the last few weeks, which also affected a lot of others. It appears that crackers used an IE exploit to gain access to google servers. To me this is neither surprising nor interesting. The fun bit is that the attack used technology loaded by google in order to comply with a US law allowing better access to law enforcement.

Earlier this month I blogged on the new powers proposed for NZ spies etc. I suggested that the technology being used was open to exploitation by others. Here is the test case - just the same stuff, in google, got used by China - though intended for the likes of the FBI and only with a search warrant. All our ISPs have the same problem.

But back to the reports - we see classic FUD signs, watch:

"I'm not aware that the vulnerability exists in other products," says Evans, "But those products may have other vulnerabilities."
Or they may not.

Asked directly when a fix would be ready, Evans states that the rollout might or might not be before the normal upgrade cycle, but has no further details.
Could this be any more vague?

"We are working to provide an update to the vulnerability. We are not seeing any attacks on IE8."
The vulnerability exists in IE8, it just has not been targeted yet. This is not the same thing as saying that IE8 is less vulnerable.

The overall thesis is that, this particular exploit not withstanding, non IE browsers are more vulnerable... overall. This is the impression you are supposed to walk away with.

This particular impression is probably best countered with the facts at the time of writing. Fortunately the footwork has already been done for me.

Secunia is a digital security firm which keeps tabs on vulnerabilities on a wide variety of software. They work closely with Microsoft, so I'm not citing enemies here. According to them, at the time Evans was speaking, there were 24 unpatched vulnerabilities in IE6, 11 in IE7, and 4 in IE8 - not including the one used in the attacks. By comparison, the same company lists zero unpatched vulnerabilities with firefox, chrome, opera, or safari.

About half the readers of this blog use IE of some kind. I peer at you over the tops of my glasses.

No comments:

Post a Comment