Security Updates – Are they the answer?

Ah, another “update Tuesday” – known to the rest of the world as “patch Tuesday” but we are not supposed to call it that.

We have a fine crop of updates for you but I am not going to talk about those, partially because we won’t be releasing them for several hours and partially because that is the province of my much respected colleagues in the MSRC – you can always get the straight dope here:

This month so far has been a fairly quiet time for me. We are seeing fewer new infections recently though the ratios of where this stuff comes from are pretty consistent. You might find the threat map at to be an interesting read.

The Storm botnet is recruiting again, this time with Valentine cards instead of Christmas cards or promises of applications to help you track football scores. A lot of people are now aware of the techniques used by this bot and infection rates seem to be dropping a little though it is a little hard to tell. Storm uses a peer to peer protocol for its command and control mechanism and so there is no one place to monitor the network. The packets look very much like eDonkey file share activity unless you know to look for the 40 byte encrypted packet at the start.

On the subject of Storm, this is a malware that, in its most recent versions, has been very much based on social engineering. It is apparently remarkably easy to persuade people to install malware on their computers. No really, I am not making this up. Independent research shows that around 75% of malware on systems got there because a user installed it while under the impression that it was a good idea. Some of it is installed because a popup tells them that they need a video codec so they download an EXE file. Some of them respond to a popup saying that there is evidence of malware or visiting adult sites on their computer. They download the program to “fix” this problem and then the problems start. Now, you, gentle reader, I know that you would never fall for such blatant social engineering but consider your cousin, the person at the supermarket checkout, yourself when you were a kid still learning what you know now… well, they will. Not every unskilled user will fall for these tricks but enough will that it is a fertile recruiting ground. 75% of malware gets on systems this way. Who needs security vulnerabilities to spread malware?

Is it heresy to say that on a patch Tuesday? Of course, vulnerabilities matter. Wormable vulnerabilities matter a lot. A corporate network can be taken down in less than an hour by an aggressive worm if there are no mitigations in place. Targeted attacks pretty much always use some vulnerability in software. Vulnerabilities matter a lot. Updates are critical. What they are not is all of the story. Many people seem to think that they are.

One of the most common questions that I get asked when people learn what I do for a living is “Why don’t Microsoft make Windows more secure?” The answer is “We did. Look at Vista and Server 2008. We are. Look at the bulletin release schedule. Look at the malicious software removal tool.” I don’t generally say the next bit. We work very hard to improve security but we don’t have much control over the things that get exploited most often: People.

Ah, but wait a minute, I hear you say. If vulnerabilities are not the be all and end all, why are there so few malwares on (insert name of alternate OS here). The answer to this is simple and I am far from the first to say it. Why do criminals rob banks? Well, that is where the money is. Malware used to be written for bragging rights. Now it is written for money. Either way, the malware writer wants as many systems as possible affected. 19 out of 20 desktop systems run some flavor of Windows. If I want to affect as many systems as possible, which do I attack? It is a no-brainer. You develop exploits for the biggest payoff.

Does this depend on which system has the most vulnerabilities? No, not at all. If Linux had 5 times as many vulnerabilities as Windows (which I don’t think for a moment that it has) and you had a 100% success rate at compromise Linux desktops then you would have… 5% of the market. If you had a 10% success rate at compromising Windows systems then you have 9.5% of the market.  It doesn’t make sense to go for Linux as a platform for malware.

All that said, vulnerabilities in the OS are less of a factor all the time. A lot of exploits target applications these days. The antivirus product, the reader for one of the common formats like Flash or PDF or Java or whatever it is this month are at least as good a target. The people are at least as good a target. In fact, looking at the numbers, the people are 3 times better targets. We can’t make better people – and we don’t want to limit what people can do because people resent that. Look at the reputation that user access control in Vista has.

It is a tricky problem. We can make better operating systems. We can not make better people.

(Edited - The original said that we could make better people - so not what I meant)

Signing off


Comments (2)
  1. Will Pearson says:


    You might like to read some of the work by Angela Sasse.  She’s a lecturer in human computer interaction at UCL, and she’s one of the few HCI researchers that has worked in the field of security.  You can find her publication list here:

    The ACM also published a special issue of Interactions, which is the magazine of their SIG on HCI (SIGCHI), on security back in 2006.  You can find the table of contents here:

    If you’ve got an account for the ACM digital library then you should be able to get access to the online PDF’s of the content.  If you haven’t got an account then I might still have the print copy lying about somewhere.  One article that may be of particular interest might be

    Jefferson B. Hardee, Ryan West, Christopher B. Mayhorn, (2006), ‘To download or not to download: an examination of computer security decision making’, Interactions, 13:3, ACM: New York, NY, USA

    My personal view is that you can create better users; after all, isn’t that what education is all about?  However, creating better users is only one solution.  Why don’t we take a defence in depth view and create security systems that work better with users?

    Whilst creating more secure software sounds like the typical complaint that Microsoft should make Windows more secure I’m actually thinking about this in more than just technical terms.  Microsoft promotes the great security idea of SD3, which stands for secure by design, secure by default, and secure in deployment.  When I read ‘Writing Secure Code’ by Howard and LeBlanc, which is published by MS Press, they made secure in deployment sound like a usability/user experience problem.  User experience is all about creating software that is easier and more effective for users to use, and so SD3 actually covers this valuable aspect of security; however, it’s problematic because the people often charged with security don’t understand users and the people who do understand users often don’t work on security issues.

    I’ve come across many examples where I believe that the secure in deployment aspect of something could be improved.  One example that I found a few weeks ago was the security page of the internet options control panel applet where the concepts and language used are going to be unfamiliar to the majority of users and a communications failiure will result.  Another example is actually UAC, where I believe that the designers of UAC failed to account for user’s motivation because UAC could actually end up turning people off the idea of security.

    If we can start to design security systems that are more in tune with people and the way that they work then we could start to improve security significantly.  I agree that the biggest problem in security are users but it’s a problem that can be minimised or resolved with some work.

Comments are closed.

Skip to main content