Vendors losing the security war

Vendors need to address the technologies and configurations of software, rather than rely on the education of users if they want to win the security war, according to security experts. The warning follows a number of recent high-profile exploits.

Last week the mass mailing Gibe virus hit Windows users. It arrived as an executable attachment, purporting to be a security update, on a fairly convincing forged Microsoft email.

Although its potential for distribution was high, the virus seems to have been contained. But security watchers have warned that we can expect more of the same unless vendors wake up.

Tim Ecott, head of professional services for Integralis' ethical hacker team, S3, said: "This is just another occurrence of what we have seen so many times before.

"When will people wake up and realise that you have to change the functionality of software to make it more secure?

"Take Outlook, for example, in the light of the Gibe virus. You would be hard pushed to find viruses that target other mail packages.

"This is because an exploit is almost guaranteed to work on that platform. A significant number of users use Outlook and are not diligent about a secure configuration."

Explaining that users pick such programs for ease of use and functionality although, in reality, a majority of features are never used, Ecott stated: "In Outlook every function is enabled by default: preview pane, execute all scripts etc.

"Virus writers don't need to target another platform. Users tend not to disable all these features, whether they use them or not, and leave themselves open to attack. Outlook is [just] a mail client. It reads email, why should it do anything else?"

He added that it wasn't just Microsoft that was guilty, but all vendors which sacrifice security for bells and whistles functionality.

"You have to target the technology, not the end users," said Ecott. "You can't rely on the fact that end users will stop falling victim to social engineering and stop opening attachments."

"Although it is often possible to go through applications and disable any potentially harmful extra functionality, this is often expensive and time consuming and just makes administrators' lives more complicated than they need to be," he concluded.