* Posts by sward

3 posts • joined 20 Feb 2013

And the buggiest OS provider award goes to ... APPLE?


Stop counting CVEs!

I can well believe Windows has got to a stage where security vulnerabilities are not as prevalent (relatively - they're probably absolutely more prevalent) as they once were, but...

Stop counting CVEs!

It's not even accurate enough for a ballpark figure.

CVEs are public (after any embargo). Not all security vulnerabilities are made public, and Microsoft are as guilty as, if not more than, any other vendor. Its CVE counts like this that actually encourage vendors to avoid disclosure if at all possible.

Microsoft handles its own CVEs, as do other vendors such as Red Hat. Sure, they all have guidelines on what to issue CVEs for, but all CVEs are not equal. A single CVE identifier is supposed to cover one issue, yet Microsoft has been known to issue one CVE covering many vulnerabilities.

Disclosure of security vulnerabilities is not exposure to security vulnerabilities. The timely disclosure of vulnerabilities is more likely to prevent exposure because it gives those actually maintaining the systems the opportunity to mitigate the vulnerabilities. The very fact the Microsoft complained about Google's 90-day disclosure policy, that's ~3 months by the way, means they are not fixing vulnerabilities they know about in a timely manner. You can't assume that just because a vulnerability is not widespread public knowledge that attackers don't know about it. This goes even more so for a vulnerability that has already been reported to the vendor -- at least one other actor, the reporter, knows about the vulnerability, and you should assume that others do too.

Amazon, eBay, banks snub anti-fraud DNS tech, sniff securo bods


DNSSEC implementation flaws

Q: What's the word's most popular nameserver?


Q: How many security flaws were announced/patched for BIND last year? How many of them were related to DNSSEC?

A: I don't know, I think I lost count. The vast majority of them were DNSSEC related in Amy case.

Are DNSSEC implementations even mature enough to use yet? Sure, somoebody though they were good enough for the root servers, but that doesn't mean they're good enough for everyone else.


DNSSEC isn't trivial, doesn't gain much

Implementing DNSSEC is not trivial to implement and maintain. You need to at least deal with more keys and institute another key rollover policy. One mistake can cause a denial of service for Lots of people. DNS spoofing is not trivial either, and the risk of doing that may be perceived to be less than the effort of maintaining DNSSEC for your domains.

Biting the hand that feeds IT © 1998–2019