NTA Monitor

Latest News

New version of network scanning tool arp-scan released

15th March 2011 A new version of a respected and popular network scanning tool has been released. Read More

Tests show rise in number of vulnerabilities affecting web applications with SQL Injection and XSS most common flaws

1st March 2011 SQL injection and cross-site scripting (XSS) were the most common flaws found in web applications in 2010 according to results from tests carried out by NTA Monitor. Read More

Assess risk to manage effects of budget cuts

9th February 2011 Signs of economic recovery may be appearing in some industries, but for most organisations - particularly in the public sector - budget cuts and cost savings are here to stay for the foreseeable future. Read More

"Basic security threats not changed in 15 years"

1st February 2011 There may have been significant technological advances to the hardware and software organisations use, but according to Roy Hills, who co-founded NTA Monitor in 1996, the basic security threats have not changed in the last 15 years. Read More

Responsible Patching

Microsoft's response to the "zero day" exploit that was used in the cyber attacks against Google shows that software vendors still have a lot to learn when it comes to responding to vulnerabilities.

It's not surprising that there are bugs in browsers - all complex software will have bugs, and some of those bugs will result in exploitable vulnerabilities. What is surprising is the continuing failure to responds to those vulnerabilities in a timely and open manner.

It turns out that this was not a "zero day" vulnerability after all because Microsoft had been told about the bug in August 2009, four months before it was used in anger against Google in December and five months before the emergency patch was issues in January 2010. That is much too long to patch a critical vulnerability on a piece of software that is installed on almost every windows system.

What is more shocking is the way the news of the bug was handled after the exploit became publicly known. First Microsoft advised people to upgrade to IE8 and implied that only IE6 was vulnerable, when in fact the bug was present in IE7 and IE8 as well. This failure to address the issue prompted the German and French governments to advise their citizens not to use IE and to switch to a different browser. Finally Microsoft released an emergency patch which fixed the vulnerability.

The sequence of events supports the widely held belief that many software vendors only fix bugs when they are forced to do so by public pressure. I've discovered a few vulnerabilities in my time, and although some vendors reacted positively, the majority only reacted when it was made public.

The vendors will say that full disclosure is a security threat because the vulnerability becomes public before they have a chance to develop and release a patch. But my own experience, which has been reinforced by this recent IE bug, is that many vendors don't react in a timely manner to private notifications. And quite often the bad guys will either know about the bug already, or may well discover it before the vendor gets around to patching.