Thursday, November 29, 2007

The fine line Between Security and Usability

See next article for an update on this article below ...

"Finding the right balance between security and usability is difficult for any software developer. Recently a set of issues were disclosed where it was apparent that Microsoft had worsened the security situation for their users based on the software provided with Windows, or based on their response to reported problems.

Whether it is Microsoft's desire to make computing as simple as possible for the masses, or whether it is a simple question of economic terms, the inclusion of the affected Macrovision DLL on Windows XP and 2003 could be interpreted as both. If Microsoft hadn't included it, then there would be many users confused as to why their software wasn't quite working as expected, and why a newly purchased game was seeking to install core system components. On the other hand, by providing the software, it means that there are millions of business systems that will never see gaming software installed, and which have no need for this particular anti-copying measure. In this instance, Microsoft identified and issued a patch before there was too much of a problem.

On the other hand, predictable (pseudo)random number generation isn't something that most people would encounter on a routine basis, but it can have real world effects when systems rely upon that number generation to determine how network responses should be sequenced. While this was one of the patches issued by Microsoft with the November release cycle, it should be noted that numerous sources were carrying information about the predictability of number generation before the patches were released. Not only this, but Apple's Security Update 2007-008 / OS X 10.4.11 release that came out in the same week included an update for BIND that addressed a similar-looking weak (pseudo)random number generation issue. While it may have just been coincidental, it is interesting to see two major software vendors provide updates for very similar DNS server problems for two different DNS server products in the same approximate timeframe.

Another issue which came to light last week may pose more of a problem for business and home users, especially given that Microsoft acknowledged to the discoverer that they would not be patching the remote code execution vulnerability that he had reported -

"Microsoft replied me that they would not fix this vulnerability, it looks like they will not acknowledge vulnerabilities which are from .mdb file".

Microsoft's response points to a Knowledge Base article which merely leads to a list of filetypes that are considered 'unsafe' by different Microsoft products. It doesn't actually indicate that the filetype should no longer be used by end users or that Microsoft will not be supporting the filetype anymore."    (Continued via S√Ľnnet Beskerming)    [Usability Resources]


Post a Comment

<< Home

<< Home