Panic! Confusion! The World is ending! Three zero-day vulnerabilities affecting Microsoft products have been discovered this month. CERTs are issuing advice like:
- “Don’t open untrusted Office documents”
- “Don’t visit untrusted web sites”
- “Disable Active Scripting”
When you consider the nature of trust, you might as well advise people to stop using the Internet and throw away their computers.
And yet, life goes on normally, and Symantec has decided that the risk posed by the Trojans exploiting two of these vulnerabilities is “Very Low”.
How can both these views be valid? Unfortunately, until patches are available, each of these vulnerabilities offers attackers a way into our machines that we can only try to avoid, not block. CERTs need to offer advice for each vulnerability; and the best advice is to try to avoid the attackers. On the other hand, Symantec is offering a risk level for infection by a particular trojan. As trojans do not spread, your computer is only likely to be infected if an attacker targets you. The risk of a random computer being infected is miniscule, but the consequences could be catastrophic.
Ultimately, we have to accept that we live with our computers in a dangerous world and we need to continually judge the risks of our actions. The problems can only be solved at the source; in the short–term, for these three vulnerabilities, that means patches from Microsoft; but in the longer term we need to question the development process that builds massively complex software systems with unknown numbers of vulnerabilities. We can be certain that these are not the last zero-day vulnerabilities to be found; some bad guys probably know about and are exploiting vulnerabilities we know nothing about.