UPDATE: Several readers sent me a link to the paper, so I have it now. Thanks!
I didn’t use “FUD” in my title, because it frankly gets used so often, and sometimes even applied to me. FUD (or Fear, uncertainty, and doubt) is a sales or marketing strategy of disseminating negative (and vague) information on a competitor.
Now, why I don’t think this applies to my recent vulnerability metrics posts is: 1) I was very specific in the data and analysis, 2) the data was factual, 3) the analysis is easily repeatable, and 4) I looked at it from different angles, including using a metric defined by Red Hat (wvi). Really, if factual analysis causes fear, uncertainty and doubt with respect to security on Linux, there must have been some large misperceptions involved in the first place.
Back to Symantec. Joris Evers (of CNET security blog fame) writes Symantec sees an Achilles’ heel in Vista. I can’t find this paper. I’ve “MSN searched” and I’ve “googled” and I can’t seem to turn up a copy of “Windows Vista Network Attack Surface Analysis: A Broad Overview”. So, my apologies for not commenting on the paper itself, which I will do when I get a copy to read. However, I will quote a few paragraphs from Joris’ article:
In their paper, titled “Windows Vista Network Attack Surface Analysis: A Broad Overview,” Symantec researchers put the networking technology in Vista under a magnifying glass to determine its exposure to external attacks. The team said it found several flaws in build 5270 of Vista and even more in earlier test versions. However, these were all fixed by Microsoft in build 5384, the version of the operating system that was publicly released in May as Beta 2.
So, in summary, Symantec analysis found a bunch of bugs in versions of Vista which Microsoft fixed before releasing Beta 2. Hmmm. Oh, and this part is really good too:
“We’re not saying that Vista’s network stack is going to be inherently insecure when it is released,” Oliver Friedrichs, director of emerging technologies at Symantec Security Response, said in an interview Monday. “Vista is one of the most important technologies that will be released over the next year, and people should understand the ramifications of a virgin network stack.”
Wow, I’m glad their not saying that. If they had said that, it might’ve been picked up in a news article and spread fear, uncertainty or doubt…. I wonder where this could be going?
“IPv6 and its accompanying transition technologies allow an attacker access to hosts on private internal networks outside of the (purview) of the administrator,” the researchers wrote. As Vista becomes available, businesses should update security systems, such as firewalls and intrusion detection systems, to prevent that, they wrote.
Oh, I see. IPv6 is a networking protocol, which builds on the common IPv4 by increasing the address space size and integrating IPSec security (see wiki). Companies could use that security to allow VPN connected system virtual access to the network (just like current VPN technologies!). You’d actually have to set up a PKI infrastructure and issues certificates to use it to do that. But, businesses should update firewalls and intrusion detection systems to prevent that. Huh! That doesn’t make much sense to me.
However, they do later say this – but I note that this statement would not apply to IPv6, which will still be in Vista:
“We expect many of our results to be invalidated by changes made prior to its public release,” the researchers wrote.
Seriously, I look forward to getting a copy of the report itself and giving it a read and I definitely don’t hold the researchers responsible for the “spin” that got put on their report (though the quotes by Oliver don’t seem quite as benign). At the end of the day, it wasn’t really clear to me what the “achilles heel” was supposed to be. Keep in mind though, as I do, their analyzing pre-Beta2 code and acknowledge that the shipping product will have addressed many of the issues they found.
Regards ~ Jeff