Your browser is obsolete!

The page may not load correctly.

The workshop

Кухня

Other issues in this category (38)
  • add to favourites
    Add to Bookmarks

Harmful and useful

Read: 8923 Comments: 3 Rating: 18

Tuesday, April 25, 2017

An ongoing war has been raging for years between researchers, who claim they’ve found defects that will cause the world to end or worse, and software developers, who claim that those defects aren't really that severe. "It's not a bug; it's an undocumented feature", that's what developers usually say in their defence.

As a rule, situations of this kind occur because developers do not factor in all the situations in which their programs will operate or the behaviour of those using them. For example, one can use a smartphone to shovel snow, and sometimes it may indeed come in handy for that.

When we say "a bug", we usually mean that a program doesn't work the way it’s supposed to or that it can be used to perform tasks it’s not supposed to.

Defects can also be caused by mistakes made during a program’s development or testing, such as failing to test the application in all possible situations, library errors, etc.

Defects (including vulnerabilities) probably exist in all programs except "Hello, World!", but their severity varies. In fact, some defects do not manifest themselves on their own. For example, to deploy an exploit, attackers may need full access to a target computer, and administrative privileges to boot. But, in this case (if attackers acquire the privileges), why bother with an exploit if a malicious act can be executed manually?

This is one of the reasons why developers may refuse to resolve an issue: users are highly unlikely to encounter it in real life. However, all kinds of things can happen…

Awhile ago, Microsoft refused to release a security patch to close a TCP/IP stack vulnerability under Windows XP and Windows 2000. "We're talking about code that originated 12 to 15 years ago and is too old, so backporting it is simply not feasible," said Microsoft’s security program manager Adrian Stone.

http://www.securitylab.ru/news/385475.php?pagen=6

However, let's take a look at a more severe example.

Google refused to resolve an issue involving the 'continue' parameter on the Google login page (https://accounts.google.com/ServiceLogin?service=mail) Moreover, in a reply to Aidan Woods who reported the issue, the corporation indicated that it didn't regard the defect as a security problem.

Appending ‘continue=[link]’ to the login page’s URL allows users to be redirected to the Google service they intend to use (provided that they enter the correct password).

To avoid phishing attacks, Google restricted this parameter’s use to google.com addresses. That way, a user can be redirected to drive.google.com or docs.google.com, but not to example.com. Woods found a way to bypass this restriction. According to Woods, Google’s server doesn't check whether the link that follows the amp parameter is secure. Also, a link can direct a user to any site on the Internet.

It should be noted that in the Google Webmasters blog, the company stated that it didn't regard open redirect URLs as a security issue.

http://www.cnews.ru/news/top/2016-08-31_google_otkazalas_ustranyat_uyazvimost_na_stranitse

It looks like a feature, right? Or is it an issue? Apparently, there’s no simple answer. The technology is intended to facilitate easy navigation between web resources; it can also be used to direct visitors between partner sites. To put restrictions in place, the technology will need to be modified. And although that may not be very difficult, it can cause other issues to crop up. For example, if a technology’s use is limited to the addresses in a certain database, someone can compromise that database.

Indeed, this scenario presents a golden opportunity for phishers, but to make sure that this feature doesn't become an issue, one must simply avoid clicking on links in dubious messages. And if you do click without thinking, none of Google’s security measures will save you from impending catastrophe.

#terminology #technologies #exploit #vulnerability #Dr.Web_settings #Parental_Control

The Anti-virus Times recommends

If someone tells you about a miraculous cure or that judgment day is at hand, etc., make the effort to learn about counter arguments. As far as information security is concerned, don’t believe all the claims and statements you hear because:

  • Danger doesn't come from a defect but rather from an exploit that leverages it.
  • It can cost companies millions to resolve a defect, money they may not have to spend. Is it worth fixing a defect if the probability of it being exploited by attackers is low? And if the answer to that is no, is there any reason to spend money on fixing it?

Excellent news for Dr.Web Security Space users: the Dr.Web Parental Control and its blacklists will protect you from being exposed to malicious sites (you do remember that Doctor Web managed to cut the size of its blacklist databases by half, without reducing their effectiveness?

[Twitter]

Tell us what you think

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.

Comments

Comments to other issues | My comments