Security by obfuscation

24.09.2012 by Martin Kuppinger

The reaction to the security alert for Windows Explorer recently revealed an interesting phenomenon: Many people believe in security by obfuscation. I alerted some people when I first saw the news concerning that security issue. Some reacted by saying: “I like my Apple iBook” or “I’ve use other browsers for a long time”. No doubt, these people are not affected by that Internet Explorer security issue. But the underlying message in these comments is about “security by obfuscation”.

Today I read another news story about iOS 6 which addresses more than 200 security issues, which allow virtually everything from bypassing the pin-based lock to faked SMS sender IDs or code injection. One of these bugs isn’t even explained in detail by Apple. It is about a bug in processing configuration files that allows attackers to claim that there is an important system update which is correctly signed. However it isn’t and thus allows the installation of malware. Without going into detail: iOS has never been really secure, and considering the way Apple deals with security issues and patches the system isn’t leading-edge.

Other browsers also have their weaknesses. And most vendors don’t provide security information in the same (relatively) open way Microsoft does, nor do they have a well-defined patch process.

It is a matter of fact that operating systems and browsers have security weaknesses, and new ones are identified regularly. It is also a matter of fact that the interest of attackers in operating systems and browsers increases with their market share. So there is little reason to assume that you are far more secure when using Apple devices, operating systems, or the Safari browser. There is some reason that you are at less risk when using one of the more obscure browsers. But security by obfuscation doesn’t really make sense.

So instead of sitting back sneering and with a sardonic grin, it is better trying to understand the risks in your own environment. The good thing in Microsoft environments is that at least many users are more aware of risks and don’t try to cheat themselves…

Besides the point that everyone needs to understand that there is no secure software and thus all environments are at risk (and the more success a platform has in the market the higher is the risk), there is another important point to look at: How do the vendors deal with security issues? Do they inform openly? Do they have a quick, reliable, and simple approach to apply security patches? Instead of blaming vendors it should be understood that every security bulletin and press release about new security issues is positive in the sense that it proves that there is a working process for identifying and patching security issues. That is much better than leaving massive security leaks open until the next operating system update. Not having such a process is also part of obfuscation – and it doesn’t help the customer because the potential attackers are communicating about known issues anyway.

For the ones who want to see some numbers: Just download the annual report from www.secunia.com. It is not only and not even mainly about Microsoft anymore. Security risks on Microsoft platforms and in Microsoft software affect a lot of users. But if you look at the numbers for Apple, Adobe or the leading Linux distributions you should be scared. And in contrast to Microsoft, many of them neither inform well about security issues nor have an efficient patch management process in place. So you neither should try to get more secure by obfuscation nor obfuscate your view on the reality of security.


Services
© 2014 Martin Kuppinger, KuppingerCole