For twelve years, regularly, every second Tuesday of each month, users get Windows updates. Of course, the operating system is not the only regularly updated code. Flash Player or Java libraries are often updated from successive programs. The aim of the renovation is to remove the detected errors in the code. Such errors include not only the possibility of a malfunction of the solution, but also a serious threat to data security. The program contains errors can become a tool for facilitating the distribution of malicious software infecting additional computers, infiltration users etc. Regular care of the code of the solution is so important that many programs – in particular operating systems – are products with a long life in the market. Windows is the foundation for the hundreds of thousands of applications, and after the code is still today the most popular Windows 7 was developed a long time ago. A separate issue is design defects. An example would be a platform for managing licensed and digitally protected electronic publications – Adobe Digital Editions. In older versions of the tool exchanging of servers, Adobe is not only the license data (verification of the license), but also data bases of e-book readers individuals. The problem was that the data were transmitted in plain text. Only the update to improve security.
Security is not a priority
the more popular and distributed software, this intensely looking at the gaps. From 2012 on top of the list is Oracle, editor of Java – code sprawiającego lot of trouble
When we listen to the assurances of representatives of the departments of marketing software vendors, it may seem that security is important, perhaps the most important issue promoted included in the solution. Unfortunately, it is not. A particularly glaring example of too trivial approach or even disregard of safety issues is Apple and its mobile system – iOS. The adoption of the wrong priorities meant that the first versions of the latest generation of iOS 8 were full of glaring errors, sometimes even preventing users with normal use of the device with this system. Introduction 8.0.1 upgrade turned out to be even worse move, because the update, instead of improving the situation only worsened it. Clearly a conflict of interest between application developers and publishers, managers responsible for the implementation of new solutions. The former want to have more time for further checking of the code, the latter depends on how soon the product is on the market. The problem is so serious that the code defects become traded. Launched in 2010, Google Vulnerability Reward Program rewards those who find Google’s software vulnerabilities posing a potential threat to the safety of users. Paid rates are dependent on many factors: the type of affected product, range of impact vulnerabilities like.
Anyone who as the first reports of newly discovered vulnerability in the software and services Google can count on a generous salary. Regardless of the Internet vulnerabilities are traded.
exemplification of the best-paid event is the discovery of vulnerabilities allow remote execution of code – to find this type of error is the discoverer of gratification in the amount of $ 20,000. On the other hand, Kevin Mitnick opened an online store, which are traded software vulnerabilities, and it is the most dangerous. Price? $ 100,000 apiece. A separate issue is the gap “designed.” Their existence was suspected for a long time, and this fact is confirmed by the revelations of Edward Snowden. FBI Director James Comey is a supporter of monitoring – realizes that the privacy of the individual and public safety are often on a collision course.
Feler system
None of the vulnerabilities in the program does not mean that we to deal with safe product. It can only mean that the code is not very popular, and simply did not raise interest aggressors. The focus of cybercriminals is a popular code, because only this guarantees a rapid propagation of threats “injected” through an open gap. Therefore, both the person responsible for the safety and cybercriminals are looking for vulnerabilities in common applications and operating systems.
The solution published on the site Docker (www.docker.com) gives you the ability to run the software with the required libraries and additives in a safe virtual “containers”. Solution “dokowanymi” applications comes from the world of Linux and has been used only in the server software.
An attempt to assess how safe is the program, a difficult task. The number of known bugs is only one of the indicators, but it is also important, how serious the consequences involves the use of a given fault. The answers provide assessments in accordance with the system CVSS (Common Vulnerability Scoring System, a standard assessment of the threat to the security of computer systems). Each identified hazard (eg published. NVD database – the National Vulnerability Database – nvd.nist.gov; grade information CVSS also published newsletters accompanying the update packages – so does eg. Microsoft) is rated at 10-point scale. The value of 10 indicates the most serious problem with the gap having the assessment of 7 to 10 is considered to be an extremely serious threat to safety. Windows has long been considered to be very secure, and both Apple’s operating systems – OS X desktop and mobile iOS – are regarded by consumers for safe solutions. However, the statistics NVD and evaluation CVSS say something else.
Windows safer than it seems
the most vulnerable operating systems (data from 2014).
the number of detected errors in the code Microsoft in the last few years steadily declining. It is the same situation in the case of the popular office suite of the company. On the other hand, Adobe, although regularly patch your reader Adobe Reader or Flash Player is not already reached similar results. The idea to reduce the risks associated with the potential use of vulnerabilities in popular software is to replace the commonly used applications significantly less popular counterparts, eg. In the case of Microsoft Office can be LibreOffice package, and instead the reader Adobe Reader program Sumatra PDF. However, it is difficult not to notice that the idea is also agreed to waive certain functions and often need to change habits, and this is the price that not all choose to pay.
A better solution is to implement the software vendors mechanisms for opening documents in a secure, isolated environment. An example would be the software Adobe Reader. Since version 10 reader is equipped with a so-called. sandbox, which opens a PDF document. The essence of sandbox is that the processed data are separated from the rest of the system and the applications running on it, which effectively reduces the possibility of infiltration and infection of the host system. Unfortunately, in 2014, they discovered three vulnerabilities that have hampered efforts associated with the use of the sandbox, which would increase the level of protection. Yet another embodiment defense system Ayers. Is a platform for running applications, including those required by the program libraries in one virtual container. Microsoft plans to implement a solution type Docker in the next edition of its server system.
No comments:
Post a Comment