A new computer worm infects PCs by attacking security software, according to a Brian Krebs story in Saturday’s Washington Post. The worm exploits flaws in two personal firewall products, made by Black Ice and Real Secure Internet. Just to be clear: the firewalls’ flaw is not that they fail to stop the worm, but that they actively create a hole that the worm exploits. People who didn’t buy these firewalls are safe from the worm.
This has to be really embarrassing for the vendor, ISS. The last thing a security product should do is to create more vulnerabilities.
This problem is not unique. Last week, another security product, Norton Internet Security, had a vulnerability reported.
Consumers are still better off, on balance, using PC security products. On the whole, these products close more holes than they open. But this is a useful reminder that all network software caries risks. Careful software engineering is needed everywhere, and especially for security products.
“I therefore claim that most of those personal firewalls are snake-oil and just a money-making scheme, trying to fool people into buying this stuff instead of applying pressure to the software vendors to ship their products with safe settings and bug-depleted code (which they need anyway, because you cannot always have a firewall in front of everything).”
If you were a firewall company, how much of a change do you think you could have Microsoft make? If you are going to run the same OS-code on many machines, it has to satisfy the majority of people’s needs, and disabling some of those services just creates problems.
We just cannot live in a service-less world anymore. Limiting services is limiting functionality (though sometimes un-needed functionality), so unless we unplug our computers and go back to pong, there will be some need for firewalls. There are no panaceas to computer security, so people disable services *and* use firewalls.
I think you could argue that firewalls now give false senses of security, but do you really feel firewalls are ever worthless?
Witty Worm Analysis
Peter Harsha at CRA points to an interesting analysis, by Colleen Shannon and David Moore of CAIDA, of the recent Witty worm….
As a basic principle, if you add more software to a computer system, you add more bugs. Normally one argues, that by limiting the exposure to foreign, malicious data (network packets) to a small amount of well-written code you add to the robustness of the system by decreasing the number of exposed bugs. You assume that the firewall code is smaller and more concise than -for example- a big database server, thereby easier to keep bug-free.
But: On the most number of machines, it does not make sense to have any service running in the first place (windows machines ship with a plethora of unneeded services listening), so instead of installing an additional product one could just disable all that stuff, reducing the amount of exposed code to the operating-system’s ip/tcp/udp-stack that is just refusing all connections.
This code certainly is audited to a greater extent than any personal firewall, is smaller (those “personal firewalls” have to show big flashy windows creating the illusion of a never-ending threat to security, thereby increasing the need for more “security” products) and thereby almost certainly safer to expose.
I therefore claim that most of those personal firewalls are snake-oil and just a money-making scheme, trying to fool people into buying this stuff instead of applying pressure to the software vendors to ship their products with safe settings and bug-depleted code (which they need anyway, because you cannot always have a firewall in front of everything).
Please note: I don’t want to say that firewalls are a bad idea per se, they just are a bad idea in 80% of all cases, and in 99% of the common case of “aunt tilly” and her personal computer.
And as a non-security sidenode: By warning about every single dropped packet in big flashy windows, these firewalls annoy administrators everywhere because their users phone in to complain about someone “attacking my computer”…
Good point. Duly posted on ATAC.
You ought to put this on your ATAC list. There’s no better example of an abusable technology than a firewall that opens up new security vulnerabilities.