Vulnerable Out of the Box - The Problem With Plug-Ins

Wednesday, November 17, 2010

Contributed By:
Rafal Los

As I was digging through my cache of old white papers, industry reading material and other such things on a plane ride recently (and I do a lot of those these days), I stumbled upon the "Invisible Things - Quest to the Core" presentation.

If you've not seen or read it - it's scary research and proofs coming from some of my fellow Polish researchers!

Anyway... slide 18 of 209 just caught me for a moment... it was a screen capture of a ZDNet article Ryan Naraine had written on September 2nd, 2009 titled "Snow Leopard ships with vulnerable Flash Player". I just sort of sat there for a moment... and contemplated.

How is that different today? Of course, nearly every machine today that ships with Adobe Flash player (not that I'm interested in picking on Adobe here) has a "vulnerable flash player" installed.

Given how often this plug-in gets 0day headlines, it's a wonder any computer vendors would package the player in "out of the box" for fear of shipping a vulnerable version.

Of course, the reaction is then to simply not ship Flash Player by default... thus decreasing the likelihood of shipping it with that particular vulnerability - but then the user has to go get it themselves... possibly getting it from a site that's distributing *malware* instead of Flash!

I've thought about this for a moment, and have an alternative which I think would work. I can't remember who put this idea in my head so I'm failing to give someone credit and I apologize - but WHAT IF computers came shipped with *nothing* except a bare-bones OS by default?

What if on the first boot you had to be connected to the Internet, and your computer would then connect to a *trusted site* over a *secure channel* (I'm thinking SSL auth & encrypt here, bi-directionally) - then pull down all the software you'd need from a single vendor-supplied distribution point?

This would both ensure that the software you're getting when you power your computer on is both timely, updated, and from a trusted source.

Interesting idea, isn't it? What do you think, would this work?

Cross-posted from Following the White Rabbit

Share This! |

Views:	1148
Categories:	General
Tags:	Encryption SSL Software Plug-Ins

Post Rating I Like this!

Comments:

Ray Tan Interesting idea.
However, we need to install kinds of programs on our computers, and not every website of the vendor are secured properly.
It is hard to distinguish them from malicious websites, indeed.

1290062812

Rafal Los Ray- Your response is sound. My proposal is at least one means forward... right now what we have is not acceptable, so we have to do something ...right?

1290067026

Ray Tan @Rafal，
Yes,we do need to optimize our current ways.

1290069491

You Must Register or Login to Comment

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked

Latest Member Comments

"Also, am I understanding this properly? Is this Eric Byres suggesting air gap security is a myth because of the fact that the network b..."

Protecting SCADA Systems with Air Gaps is a ... Marc Quibell on 05-22-2012

"I understand. Thanks for the clarification."

Facebook "Like" Button = Privacy Violation +... Didier Trarieux-Lumiere on 05-22-2012

"I have to wonder which Congressional leader will take ownership of this issue. If you leave it to party elders or POTUS it'll always be..."

Hard Power, Soft Power, and the Power of Dig... Ali-Reza Anghaie on 05-22-2012

"@Didier: the point is that a website that includes third-party content causes their visitor's browser to disclose that visit to that th..."

Facebook "Like" Button = Privacy Violation +... Matthijs R. Koot on 05-22-2012