Vulnerabilities in unusual suspects
by James Turner
The vendor threat report I reference the most is the one published by IBM’s X-Force. Their latest report covering 2008 is fun enough to read, if you’re an industry analyst, but two inclusions are particularly worth discussion. Firstly, there are some interesting entries to the Top 10 of vulnerable vendors: Joomla! Drupal, and TYPO3. All are open source web content management tools, based on PHP, and into the top 10 with a bullet.
Open source CMS
So, open source packages in the Top 10, and highly popular packages at that. We’ve all heard the argument that open source means that a thousand pairs of eyeballs get to review the code and this makes it “better”. Sounds good, but unfortunately, based on the results presented in this table, this theory just isn’t working.
I put it to you that the tribulations which Microsoft has been through over the last decade have put it in a much stronger position with regards to quality control. For starters, Microsoft produces a massive amount of software (millions and millions of lines of code) compared to a number of the others on this table. Microsoft may be number one, but look at their product range, install base, and customer base. Joomla! may be popular, but it’s still just a content management system (CMS).
Surely any person with half a brain would look at this and prefer to go with products from a company which has already taken a first-class beating and consequently shown marked improvement, rather than risk it with a product set which looks like its, “you can’t freakin’ tell me what to do, man!” enthusiasm is about to lead it into the tender embrace of cyber criminals?
Maybe I’m being overly polemical about the failings of our well-meaning open source friends. I have another soap-box rant about Microsoft, Internet Explorer, anti-competitive practices, bloatware and Media Player – I can even recite it in rhyming couplets.
But seriously, chucking together software which is intended to sit on internet facing servers, and to have the creators take the, “it’s close enough so let’s release it” attitude betrays our trust and ignores the hard earned lessons of the past. Yes, Microsoft’s lessons.
Not only CMS, but web browsers too!
A second important point in the report is the data for vulnerabilities in web browsers and their myriad plug-ins. This quote is both troubling and hilarious: “In the first half of 2008, 94 per cent of all browser-related public exploit code was published within 24 hours of official vulnerability disclosure....by the end of 2008, only 89 per cent of all browser-related public exploit code was published within 24 hours”. Oh good, now it’s down to 89 per cent. I was getting worried at 94, but 89 I can live with.
But what this means is that on one side of the cloud we have content management systems being slapped together and launched on a blissfully ignorant public. While on the client side of the cloud we have browsers and their plug-ins which the hackers can dismantle in less than a day. Outstanding!
This is a nasty combination
How many workers in your organisation have web access? Most? All? My guess is that everyone that has a computer and a desk will have web access. The browser, not the operating system, is the new frontline.
I wrote a research note recently where I argued that web browsers should be considered part of an organisation’s perimeter. If all your web-accessing workers are surfing through the day, what are the chances at least one of them will access a site which has malware on it – because the website is using an open source CMS which has been compromised?
Can I urge you to reconsider white listing websites which your organisation will permit access to?