Shostack + Friends Blog Archive


Halvar on Vulnerability Economics

Back in July, I wrote:

If fewer outbreaks are evidence that things are getting worse, are more outbreaks evidence things are getting better?

Now, I was actually tweaking F-Secure a little, in a post titled “It’s Getting Worse All The Time?” I didn’t expect Halvar Flake would demonstrate that the answer is yes. Attacks getting worse may well mean that things are getting better. Which is kind of counter-intuitive.

In Client Side Exploits, a lot of Office bugs and Vista, he writes about the other side of the Vista exploit coin, and how good security can drive bugs into widespread use:

ASLR is entering the mainstream with Vista, and while it won’t stop any moderately-skilled-but-determined attacker from compromising a server, it will make client side exploits of MSOffice file format parsing bugs a lot harder…As a result of this, client-side bugs in MSOffice are approaching their expiration date. Not quickly, as most customers will not switch to Vista immediately, but they are showing the first brown spots, and will at some point start to smell.

See also “Economics of vulnerabilities,” and “Vulnerability Game Theory.”