Application Insecurity

Whoop!  Whoop!  Whoop!
I guess I'll have to stop downloading those "special" video CoDecs until this is fixed!

When I bought my computer and applications, it was with the notion that I would accomplish things.  I am wondering if vendors got this memo because it surely seems like I spend a lot of my time and my system’s power to address shortcomings in the core system.

Out of the box, Windows needs OS updates (provided by Microsoft).  This is no different than Linux or Mac.  Unlike either, there’s a “strong recommendation” to purchase an anti-virus program.  WIndows will annoy you with a scarily-worded balloon tip until you do.

Once you start down the path of finding anti-virus software, you’ll encounter a lot of marketing for other scareware: application update verifier, a separate firewall, registry de-crapifier, anti-spyware, instant message attachment filtering, mail attachment scanning, and a disk defragmenter.

What started me off on this rant … Several months ago SlashDot and Brian Krebs‘ blog both mentioned Secunia’s scanner to verify one is running the current, allegedly more secure (because they’re patched) version of software applications. It sounded like an interesting application, kind of like Express Metrix.

Secunia’s downloadable version has an interesting default behavior of running when Windows starts up. (Sheesh! What program doesn’t?) This is supposed to monitor real-time changes to applications, because, you know, not everyone practices safe hex. Except for you, gentle reader!

My machine was rendered unusable while it scanned a terabyte of files. Like most virus scanners, it merrily surveyed my backlog of This American Life podcasts and Machine Learning PDFs.  It had finally… griiiiiiiinnnnnnnnnnddddddd…. finished the next morning.

Two dozen applications that were insecure because they didn’t receive enough attention when they were applets.  All but two were from Adobe and Sun.

Panic!

This may be too subtle to notice in the screen capture, but the Java problems above were not due to my shutting off the damned Flavor Of the Month updater.  Rather, the two computational physics applications I’ve installed are bundled with runtime versions of Java.  Runtime versions of Java change enough that vendors are compelled to install a known version, lest the bugs be fixed and not necessarily improved.  (I ask: isn’t this a reason to not develop commercial software in the language?)  Secunia was complaining those versions were insecure/out of date.

The only recourse seems to be examining the technical details, ignoring the applications using it or trying to manually patch it with a more recent version of Java.  Hey, I’ve got nothing better to do than get another degree, even if it is Theoretical But Unlikely Security Issues.

Then there’s Adobe’s applications. The Flash player was bundled with Flash Professional, something I installed a few years ago to attach the “Kashmir” sound track to a flow field animation.  (This amused our former marketing communications manager.) I’m surprised this wasn’t automatically updated by Adobe. I patched it manually.

Acrobat Professional should have been straightforward, but the upgrade mechanism is built assuming sequential upgrades.  In other words, if I had version 7.0.5.172 of Acrobat Professional installed and the current one [back when I started writing this was] 7.0.9.something, I would expect it to apply one upgrade.  Instead, one has to apply the 7.06, 7 .07, 7.08 and 7.09 patches in order, rebooting after each.  For example, here’s after 7.0.7.142, two reboots, and still insecure:

Acrobat can bite my shiny metal ass

Unlike the pathetic “troubleshooter” that comes with many applications and is written for someone born in the 1800s (e.g., has never, ever used a computer), Secunia suggests useful remediation. For example, in their toolbar:

toolbar

has links to download the current patch, ignore the problem, remove the program, or get more details on the application.  It worked pretty well for Sun and Adobe products. (Since I’ve been complaining about updates, I should note that all of Microsoft products were deemed updated:

all clean

Once clean, my ZoneAlarm firewall went apeshit with each product launch because the applications’ signatures had changed and, gasp, were accessing the Internets.

This is almost as absurd as Vista’s UAC.  The same information available to Secunia is available to ZoneAlarm’s acquirer, Checkpoint Software. They should be able to pre-populate their rules to allow common, non-rogue applications like Windows Security Center Notification:

Windows Security thingie.

The “More info” is utterly, completely, insultingly useless.

Zone Alarm was originally a reasonable firewall. As they’ve gone after the additional revenue, they bloated the package to include anti-virus, anti-spyware, anti-instant messaging (but, sadly, not instant massagingthat I would buy), desktop de-iconifier, orbital mind control laser shielding, and high colonics.  I think I’m making up those last ones, but I apologize in advance if I’ve given them more ideas.

Check out its marketing-designed console, designed to scare me into thinking it’s doing a lot of stuff to “help me out:”

Zone Alarm Console

2,537 intrusions! 62 high-rated! 1,143 program(s) secured for Internets! 9 spies treated! Panic! Font’s! Action Items! It’s all bullshit.  The 62 “high-rated” were all DNS lookups or NetBIOS chirps from my Tivo:

log

The 1,143 programs secured is misleading.  Every application that’s ever run a setup program is mentioned.  All of the little cygwin utilities (ping, ls, grep, wc) count.  The eight Adobe Flash and nine Java runtime installs are seventeen of these:

yawn

And “spies treated” is a fancy name for “tracking cookies.”  While I have doubleclick.net mapped to http://127.0.0.1, questionmarket and 2o7.net were not. Risk = Low, Malodorous Cow Excrement Threshold = Exceeded
oh, no, spies!

Because it was convenient, and I have had bad experiences with another vendor’s Slow My Computer Down Suite, I am using Zone Alarm’s anti-virus product, but with the “full system scan” set to the minimum non-off level it permits (lest Windows complain). For the record, I have never, ever had a virus scan report a true positive. Here’s why I don’t like running full virus scans:

Twelve and a half hours, and it's still going...
Twelve and a half hours, and it's still going... And you want me to do this daily?!

Anti-Spyware: Spybot Search & Destroy, a freeware utility, seems to work well enough.  It’s never found anything, either, but it also doesn’t nag me into running it more than once a quarter.  Also, it does produce a list of new ad sites to use the ol’ 127.0.0.1 trick on.  Included with it is a registry locking thingie (TeaTimer) that is useful for geeky amusement at what stuff does to my system.   After watching it, I’m convinced Windows seriously needs a built-in Registry De-Crapifier.  Commercial tools like “Registry First Aid” take the Zone Alarm approach and report so many laughingly obvious stuff that should just be deleted without asking me — we’re talking temporary files created by MS Word last month — that it has lost credibility as an application.

Ad blocking is often marketed as a pay option in some uber-suite.  I suppose if you used Internet Explorer all the time, you’d want this sort of thing.  Frankly, it’s easiest to use Firefox with the add-ons: Adblock Plus and the Adblock Filterset.G Updater. When I’m in maximum paranoia mode, I’ll use this plus the NoScript plugin.  I don’t appreciate how many ads this blocks until I’m forced to view some site hard-coded for IE.

Disk defragmenter.  Seriously.  I really don’t understand why Windows doesn’t have this on by default, except it would slow down all the other crap above.  Linux/Unix/Mac solved this problem a long time ago.  I’d been using PerfectDisk because it has a nice scheduler.

—————————-

Linux is this close to being a viable substitute.  They figured out how to apply updates a long time ago.  (There are “more” of them, because it’s counting minor utilities.) It comes with a firewall.  It isn’t as prone to viruses because (a) it’s less common and (b) users don’t run — or need to run — with elevated privileges for most of their computing.  There’s even virtual machines to run necessary but unported applications (*cough* Photoshop).

The remaining problems:

a) wireless networking.  Ubuntu 8.04 was working fine.  However, the 8.10 upgrade requires a driver that I need to download.  Oh, yeah, that’s right, I don’t have a fricking network because you guys disabled it! (In actuality, I’ll find a land line and try to resolve it.  Or I’ll revert to an older/different flavor.)

b) Keyboard shortcuts.  Oh, how I pine for a binding to the windows “Start” button so I can set up all my applications to be two key launches.

c) Disabling the touchpad when an external USB mouse is plugged in.

1 thought on “Application Insecurity”

  1. Wow. This is just incredible. I mean it!

    From over here in Mac land, I run the Norton Anti-virus thing once a week (auto-scheduled). I have it limited to checking my mail folders and “Dloads”, where anything I download automatically gets dumped. Is there a reason to scan anywhere else? The few times it’s found anything, it’s been a Windows attachment virus, which Norton detects (and “quarantines”) even on the Mac, even though it’s entirely harmless here.

    Activating a firewall is as easy as checking a check-box.

    Keyboard shortcuts are supposed to be a whiz using Quicksilver, which many of my friends swear by. I had a bad experience with it when I first got my MacBook and haven’t tried it since. Maybe I should… 🙂

Comments are closed.