Thursday, September 16, 2004

Security Note

Microsoft has announced a critical vulnerability in Windows, which allows malicious code in JPEG files to be executed.
Source: BBC News

Like many security problems, this arises because of a failure of encapsulation. With a reasonable architecture, your photos could contain all sorts of secret messages and malicious code but these would not leak out. The software platform would only execute the code inside some sort of sandbox. But I don't want to have to go to this trouble. The problem only arises because someone had the clever idea that JPEG files could contain code, and programs reading JPEG files would execute the code. (JPEG is an industry standard: we can't blame all this on Microsoft.) That clever idea only works safely if we assume a much more sophisticated sofware architecture and an much higher level of software quality than we are likely to see in the foreseeable future. Otherwise, such clever ideas are dangerous.

Lesson One: Clever ideas often increase complexity, and have a negative impact on security.

If even an innocent JPEG file can be crawling with malware, what are the implications for advanced middleware, such as web services? SOAP messages can carry all sorts of payloads, including compressed, fragmented and encrypted ones. An XML document can contain data or code, and the code can be in any language you choose. We know that passenger frisking and baggage screening doesn't always detect weapons, so how do we expect a firewall to detect dangerous data packages? The firewall (and the fortress model which depends on it) are made irrelevant by these advanced technologies.

Lesson Two: If we are using open distributed technologies, we must expect security to be managed in an open and distributed way, not by building a false illusion of central control.


No comments: