For twelve years, regularly, every second Tuesday of each month, users get Windows updates. Of course, the operating system is not the only regularly updated code. Flash Player or Java library are other frequently updated from the programs. The aim of the upgrade is to remove the detected errors in the code. Such errors are not only the possibility of malfunction of the solution, but also a serious threat to data security. The program contains bugs can become a tool to facilitate distribution of malware infecting additional computers, users infiltration etc. Regular attention to code the solution is so important that many programs – in particular, operating systems – are products with long life in the market. Windows is the foundation for the hundreds of thousands of applications, and after all the code is still today the most popular Windows 7 was developed a long time ago. A separate issue is a design fault. An example would be a platform for managing licensed and digitally protected electronic publications – Adobe Digital Editions. In earlier versions of this tool exchanging of servers, Adobe does not just license data (verification of the license), but also data on databases of e-books specific individuals. The problem was that the data were transmitted in clear text. Only the update to improve security.
Security is not a priority
The more popular and distributed software, this intensely looking at the gaps. From 2012 on top of the list is Oracle, editor of Java – code sprawiającego a lot of trouble
When we listen to the assurances of the representatives of the departments of marketing software vendors, it may seem that security is important, perhaps the most important issue promoted included in the solution. Unfortunately, it is not. A particularly glaring example of too trivial approach or even disregard of safety issues is Apple and its mobile system – iOS. The adoption of the wrong priorities meant that the first versions of the latest generation of iOS 8 were full of glaring errors, sometimes even preventing users with normal use of devices with this system. Introduction 8.0.1 update turned out to be even worse move, because the update, instead of improving the situation only worsened it. It is evident conflict of interest between application developers and publishers, managers responsible for the implementation of new solutions. The former want to have more time for further checking of the code, the latter depends on how soon the product is on the market. The problem is so serious that code defects become traded. Launched in 2010, Google Vulnerability Reward Program rewards those who find Google’s software vulnerabilities posing a potential threat to the safety of users. Paid rates are dependent on many factors: the type of affected product, the impact range gaps, etc.
Anyone who first raises a newly discovered vulnerability in the software or services Google can count on a generous salary. Regardless of the Internet vulnerabilities are traded.
exemplification of the highest-paid event is the discovery of Vulnerability Remote Code Execution – find this type of error is for the discoverer of gratification in the amount of $ 20,000. In turn, Kevin Mitnick has opened an online store, which are traded software vulnerabilities, and that’s the most dangerous. Price? $ 100,000 apiece. A separate issue is the gap “designed”. Their existence was suspected for a long time, and this fact confirmed by revelations of Edward Snowden. FBI Director James Comey is a supporter of monitoring – realizes that privacy of the individual and public safety often find themselves on a collision course.
Feler system
None of the vulnerabilities in the program does not mean that we dealing with a safe product. It can only mean that the code is not very popular and simply did not raise interest aggressors. The focus of cybercriminals is a popular code, because only such guarantee rapid propagation of threats “injected” through an open gap. Therefore, both the persons responsible for safety and cybercriminals looking for vulnerabilities in commonly used applications and operating systems.
The solution published on the site Docker (www.docker.com) gives you the ability to run software along with the required libraries and additives in a safe virtual “containers”. Solution “dokowanymi” applications comes from the world of Linux and has been used only in the server software.
An attempt to assess how safe the program, a difficult task. The number of known bugs is only one of the indicators, but it is also important how serious implications entails the use of a given fault. Replies provide assessments in accordance with the system CVSS (Common Vulnerability Scoring System, a standard assessment of the security issues). Each identified hazard (eg published. NVD database – the National Vulnerability Database – nvd.nist.gov; information on CVSS assessments are also published newsletters accompanying the update packages – so does eg. Microsoft) is rated as a 10-point scale. The value of 10 is the most serious problem, with the gap having the assessment of 7 to 10 are considered to be extremely serious threat to safety. Windows has long been considered to be very secure, while both Apple’s operating systems – OS X desktop and mobile iOS – are regarded by consumers as safe solutions. However, the statistics NVD and evaluating CVSS say something else.
Windows more secure than it seems
The most vulnerable operating systems (data from 2014.)
The number of errors found in the code Microsoft in the last few years steadily declining. The same holds true for the popular office suite of the company. On the other hand, Adobe, although regularly patch your reader Adobe Reader or Flash Player, no longer achieves similar results. The idea to reduce the risk of potential use vulnerabilities in popular software is to replace commonly used applications much less popular counterparts, eg. In the case of Microsoft Office can be LibreOffice package, and instead reader, Adobe Reader program Sumatra PDF. However, it is difficult not to notice that this idea also implies consent to the resignation of certain functions and often need to change their habits, and this is the price that not everyone will decide to pay.
A better solution is to implement by software producers mechanisms for opening documents in a secure, isolated environment. An example would be Adobe Reader. Since version 10 reader is equipped with a so-called. sandbox, in which the PDF document is opened. The essence of sandbox is that the processed data are separated from the rest of the system and the applications running on it, which effectively reduces the possibility of infiltration and infection of the host system. Unfortunately, in 2014 we discovered three vulnerabilities that have hampered efforts related to the use of the sandbox, which would increase the level of protection. Yet another embodiment defense system Ayers. Is a platform for running applications, including those required by the program libraries in a virtual container. Microsoft plans to implement a solution type Docker in the next edition of its server system.
No comments:
Post a Comment