Downsize your defaults

Computer malware history is full of those Doh! moments. Occasions where you are left at worst speechless, at best dumbfounded. In many cases, user error or ignorance is the root cause, but often it is the software at fault. I am not talking about defects in the software, which may subsequently get exploited. I am talking about technology that opens a user up for attack whilst delivering very little advantage to that user in terms of product features.

I am not against functionality. Far from it. But the evolution of software and operating systems is no excuse for poor design, or ill-thought technology. I am sure malware authors must love what we seem to accept as the natural side effects of software evolution – an increased attack surface. You only need to think back a few years to the huge problems caused by macro viruses for a good example of where additional functionality significantly changed the game as far as security was concerned.

On the last two occasions where I have had to help to clean up infected machines for friends, both infections could easily have been prevented by a more intelligent choice of default product configuration.

In one case, the user was infected via a malicious PDF sample. Sadly, this is a common occurrence nowadays – one of the reasons Adobe have taken steps to tighten up their patching process (very welcome). The fact that Adobe Reader by default runs embedded JavaScript is quite simply an open door to the attacker. And what would be the cost of disabling this “feature” in terms of loss of functionality for the typical user? Minimal, I suspect. Given the growth in malware using PDFs as a point of entry, why do we accept the decision to enable such functionality by default? (See here for details on how to disable Javascript.)

The curse of autorun functionality within Windows is another example, where a single piece of functionality enabled attackers to infect hoards of victims. In this case, as previously reported, good news is finally on the horizon, with Microsoft planning to restrict the functionality in Windows 7 (and XP/Vista as well at some point) to CD/DVD drives.

Most software vendors are acutely aware of the importance of security in their products. But I do believe that users could be better protected if more thought was given to the default product configuration. In addition to protecting certain applications with buffer overflow protection (BOPs), Sophos also provide the ability to control the applications that organizations wish to permit on their networks. The time is nigh for organizations to review and control the precise configuration of such applications as well.