Most anyone who has been in the security industry for a while is familiar with the term ‘security theater’. It’s a term used for security that is about show, rather than substance.

Since I became the Product Manager for Windows Vista security I have noted that the same concept seems to increasingly apply to the  world of vulnerability disclosure – let’s call this  ‘vulnerability theater’.

Vulnerability theater is where an individual, or group, will report a vulnerability that is – and let’s be polite –  over-blown. OK, so maybe it’s not a brand new phenomenom but it certainly seems more common since  the release of Windows Vista!  Perhaps it’s a desire on the behalf of the person making the disclosure to be one of the first to find or report a flaw in a new OS, but in some instances the lengths and steps an individual will go through to claim a vulnerability strain believability.

Hypothetical  example: Someone might report a ‘stunning, world shattering’ Windows Vista vulnerability that allows an application to ‘steal all the users data’.  However when we dig past the shock and horror and into the actual facts behind the vulnerability we discover that this earth shattering attack requires that the attacker has both physical access to the PC as well as administrator rights to the PC. Well hang on a second…if you have physical access and admin rights to the PC you effectively have rights to the box. It’s 0wned!

That’s not a vulnerability – that’s ‘vulnerability theatre’.

So – how do we differentiate between the real and the less substantial?

Here’s a checklist of questions/observations one should consider:

1)      If the vulnerability requires Administrator credentials to execute then carefuly consider if it’s really a vulnerability. Admin’s 0wn the box. That’s the nature of the Admin account. User Account Control in Windows Vista means that far fewer people should have to run as Administrator or indeed have Admin creds at all.  You should ask yourself how the supposed vulnerabilty got admin rights.  If the assumption is the user already has them and then inapparopriately enters them, then it’s most likely not a vulnerabiity…. It’s a user completing or executing an action.

 

2)      If you provide Admin credentials to an application understand that it 0wns the box! That means it can download and install other stuff, disable stuff, export stuff and in fact generaly mess with stuff including a Standard Users environment. If the attack is a multi-stage attack that requires, at some point in time, Admin credentials then see point 1 above!  Many examples of supposed vulnerabilties we see are a varient of this point, which is really a from of social engineering (tricking the user into completing an action), as opposed to an operating system level vulnerability.

 

3)      If the vulnerability requires that a user ignore numerous warnings and carries on regardless then the O/S is doing what it’s told to do!  Let’s be reasonable: If a user is warned by Outlook that the email looks like spam but clicks on the link anyway, then is warned by IE that the website looks suspicious but continues to navigate to it anyway, if they then ignore the Defender warning that the mortgage calculator they just downloaded is spyware, then, frankly, the O/S is doing what the user intends that it do!

 

4)      Is the vulnerability addressed by an existing application setting or security policy? This is an important question to ask oneself.  Security is about making choices.  Make default policy too restrictive and users will have to interact with the software more to do what they want.  Conversely, focus on ease of use by making the default settings less stringent and you increase the chance that a system can be attacked.  I truly think that Microsoft has developed the right balance and made the right decisions when evaluating the tradeoffs between usability and security for the default Windows Vista experience; but what is typically overlooked is the fact that many of the security technologies have numerous options that allow for a user (or Administrator!) to make their own judgments as to their need for security balanced against usability. For examples go take a look at the Windows Vista Security Guide at http://www.microsoft.com/downloads/details.aspx?FamilyId=A3D1BBED-7F35-4E72-BFB5-B84A526C1565&displaylang=en .

 

5)      Theory and Practice! Another important point to consider is the real world applicability of a vulnerability. Hypothetical observation: Is a key-storage mechanism that takes 1,000 Billion years to theoretically crack more ‘vulnerable’ than one that takes  10,000 Billion years to theoretically crack. Yes it is, but would most companies or individuals really care?

 

Security is vitally important and I can assure you that everyone at Microsoft takes it very seriously.  This post isn’t meant to make light of how we react to and address potential security vulnerabilities in any Microsoft product – we take every potential threat very seriously and treat each report the same in terms of investigation. Rather, what I really wanted to highlight is that not all reported vulnerabilities are equal and that we should look a bit closer than the headlines and into the detail, and that sometimes, to borrow a common saying, the bark is worse than the bite.

Of course vulnerabilities do exist; none of the security features in Windows Vista, either individually or collectively, are intended as a “Silver Bullet” solution to the problem of computer security.  Instead, a defense in depth approach makes Windows Vista far more difficult to attack than any previous version of Windows, thus making it more secure.

It’s also important to remember that Microsoft has an unparalleled worldwide security response process operated through the Microsoft Security Response Center (MSRC) that responds quickly to security threats and to provide customers with the information, guidance, and mitigation tools and measures they need.

So, yes - whilst there are real threats to computer security I hope I have shown that there are also threats that get a tad over-blown. Please consider the five points above the next time you see a ‘shock-horror’ headline J

Russ Humphries