Cross-platform vulnerabilities: revisiting the mono-culture risks

One of the CNet articles covering the 2008 RSA conference makes a new point about the competitive standing between the different operating systems: namely it may not be the OS itself that matters at this point. The author Tom Krazit argues in “Mac Security Not So Much About the Mac” that as the operating systems have been hardened, threats moved up the stack to applications running on top of the platform, which are often written by vendors with no connection to the OS vendor:

“At the CanSecWest conference, no one was able to take control of three laptops in play (the MacBook Air, a Fujitsu running Windows Vista Ultimate, and a Sony Vaio running Ubuntu) when attacks were confined just to the operating system. But Miller’s Safari exploit, and the Flash flaw later exploited by Shane Macaulay, Derek Callaway, and Alexander Sotirov on the Vista laptop, show how security threats are now much more focused on the browser, rather than the operating system.”

The comparison is not quite accurate because Safari is written by Apple and distributed aggressively, including the recent 3.1 update forced on all Windows iTunes users who may have expressed no interest in having yet another web browser. Flash on the other hand is now associated with Adobe after its acquisition of Macromedia. No connections to MSFT there, and in fact they are arguably competitors. (Over the years, Flash emerged as a successful new platform on top of web browsers for delivering rich client experiences; something Java attempted with much fanfare before it flamed out and Sun re-focused its efforts on the enterprise market. More recently MSFT has positioned Silverlight as an alternative to Flash to regain developer mind-share.) Safari is a part of the Apple platform as much as Internet Explorer is rightly considered a part of the operating system; the latter was a central argument in the bundling question from the DoJ anti-trust trial of the late 1990s. This would not be the first time that Flash caused problems; for example its deliberate opening of backdoors in the same-origin policy and flawed implementation of controls  for the backdoor (namely the well documented over-zealous desire to see a cross-domain policy in any conceivable piece of random data) lead to significant problems for web sites in the past.

Still there is an interesting connection between this observation and the mono-culture argument from 2003. Flash-back: a group of security professionals including Bruce Schneier,  Dan Geer and Peter Gutmman co-authored a position paper titled Cyberinsecurity: cost of monopoly. Subtitled “How the dominance of Microsoft’s products poses a risk to security” the paper argued that having one operating system running on large number of machines created a single point of failure that provided attackers with an easy way to take out a large fraction of infrastructure by exploiting just one vulnerablity. No good deed goes unpunished: Geer was summarily dismissed (“promoted to customer”) from @Stake, which at the time had a business relationship providing auditing and penetration services to Microsoft.

Machines getting 0wned thanks to cross-platform extensions such as Flash pose a challenge for the mono-culture argument. After all one of the benefits of Flash, like its predecessor Java before, is to write portable code that works in any web browser on any platform. But this also opens up the possibility of cross-platform vulnerabilities. Not all of the code for Flash will be shared between say a Mac/Firefox version and the Window/IE7 version. But at least some critical components are: for example recently bugs were discovered in the regular expression engine affecting all platforms. The irony is that even when the installed base of operating systems diversified, a middle-layer designed to bridge the differences between these platforms will create similar risks as a mono-culture. The existence of such a middle-layer is a guaranteed by market conditions, whether it is Java, Flash or Silverlight. It is not economical for developers to target code to every possible hardware, OS and browser combination. An intermediate layer gives up some power and expressiveness that could have been achieved with code “native” to a specific platform, but in return promises greater reach across all plaforms. The mono-culture agreement taken to its logical conclusion would suggest not all users must have Flash: some should have Silverlight only and perhaps others rely on Java for rich-client experiences. (It’s not enough to also install the others; since the presence of the extension is enough to make it exploitable.) At this point it is running against market dynamics.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s