CSI criticizes Microsoft's hack-and-patch strategy

Posted by Aharon Etengoff

San Francisco (CA) - The Cyber Secure Institute (CSI) has criticized Microsoft's current "hack-and-patch" strategy.

"We have to break this cycle. We have to stop relying on the old hack-and-patch. We need to focus on deploying new technologies that are inherently secure—technologies that are, in fact, certified secure against the types of threats we face today," CSI executive director Rob Housman told TG Daily.

Indeed, Microsoft's latest Video ActiveX Control security advisory (972890) did not even include an update or patch.

Security Vulnerability

"With this ActiveX security flaw, if a user visits certain websites and uses the ActiveX Control system, the vulnerability allows the hacker to take control and become the main user on the personal computer—in essence they own you, or at least your computer and your data," said Housman. "Not only can a hacker have total access to all the data on the computer, but the hacker can use your computer for a host of malicious purposes. Because of the widespread use of Internet Explorer and ActiveX on Microsoft operating systems, this vulnerability puts at risk untold numbers of computers."

Housman speculated that Microsoft likely faced severe time constraints in coding a patch.

"That Microsoft would go out with this vulnerability even without an update shows the high degree of risk here. Moreover, it shows the overall level of vulnerability inherent in today's IT environment," explained Housman. "I hope to be proven wrong, but Windows 7 probably won't offer any serious security improvements."

According to Housman, security requirements are often ignored during the design of a new system.

"This approach - where security is essentially bolted on - is destined to fail. It forces administrators to build a wall around an inherently insecure system. However, as in real life, people can go around, over and under a wall."

Housman also noted that a number of recent high-profile cyber attacks were executed by "sophisticated actors."

"These were not vanity or teenage hacks. Rather, these were individuals who carried out such attacks for national security or criminal advantage. Unfortunately, we are likely to see an increase in such attacks."