Mikko Hypponen is one of the best known names in the anti-virus industry.
In this article he describes how the last decade has completely changed who we are fighting, and how 2003 was turning point in the history of computer security.
If you were running Windows on your computer 10 years ago, you were running Windows XP.
In fact, you were most likely running Windows XP SP1 (Service Pack 1).
This is important, as Windows XP SP1 did not have a firewall enabled by default and did not feature automatic updates.
So, if you were running Windows, you weren’t running a firewall and you had to patch your system manually – by downloading the patches with Internet Explorer 6, which itself was ridden with security vulnerabilities.
No wonder then, that worms and viruses were rampant in 2003.
In fact, we saw some of the worst outbreaks in history in 2003: Slammer, Sasser, Blaster, Mydoom, Sobig and so on.
They went on to do some spectacular damage. Slammer infected a nuclear power plant in Ohio and shut down Bank of America’s ATM systems. Blaster stopped trains in their tracks outside Washington DC and shut down Air Canada check-in systems at Canadian airports. Sasser thoroughly infected several hospitals in Europe.
The problems with Windows security were so bad that Microsoft had to do something. And it did.
In hindsight, the company did a spectacular turnaround in their security processes.
Microsoft started Trustworthy Computing. It stopped all new development for a while to go back and find and fix old vulnerabilities.
Today, the difference in the default security level of 64-bit Windows 8 is so much ahead of Windows XP you can’t even compare them.
We’ve seen other companies do similar turn-arounds.
When the Microsoft ship started to become tighter and harder to attack, the attackers started looking for easier targets.
One favorite was Adobe Reader and Adobe Flash. For several years, one vulnerability after another was found inm Adobe products, and most users were running badly outdated products as updating wasn’t straightforward. Eventually Adobe got their act together.
Today, the security level of, say, Adobe Reader, is so much ahead of older versions of the PDF readers you can’t even compare them.
The battle at hand right now is with Java and Oracle. It seems that Oracle hasn’t gotten their act together yet. And maybe don’t even have to: users are voting with their feet and Java is already disappearing from the web.
The overall security level of end users’ systems is now better than ever before. The last decade has brought us great improvements.
Unfortunately, the last decade has also completely changed who we’re fighting.
In 2003, all the malware was still being written by hobbyists, for fun. The hobbyists have been replaced by new attackers: not just organized criminals, but also hacktivists and governments. Criminals and especially governments can afford to invest in their attacks.
As an end result, we’re still not safe with our computers, even with all the great improvements.
But at least we don’t see flights grounded and trains stopped by malware every other week, like we did in 2003.
When I do a Java update (which is not uncommon), I see the "2 billion devices run java" splash, and it frightens the life out of me. Makes you wonder how many of these embedded devices are running Java version 0.5 from nineteen canteen, and are vulnerable to all sorts.
"Luckily" I suppose many of these devices don't have a path to run arbitrary code too easily but there's got to be a bunch of "soft underbelly" in embedded systems still, just because they're tough to update.
A real nostalgic piece, just a note on Java its disappearing from the FRONTEND of the web and rightly so along with flash as HTML5 and modern browsers replaces functionality of Java and Flash … it has no place being there now, but INCREASING at the backed and again rightly so one code to rule them all! a single codebase that can be maintained across all platforms.
XP SP1 did not prompt to turn on automatic update during OOBE, but you could turn it on later if you wanted it.
IMO, what makes it particularly difficult with Java is that Sun always told developers it was perfectly OK to hardcode a dependency on a particular version and build of Java, because you could install multiple versions side by side. Many devs (and their apps) have not gotten away from that mindset, and there are no “version-lie” app-compat shims to fix Java apps the way there are for Windows apps.
I wrote about it a couple of years ago:
Alert: Java’s Forward-Compatibility Promise Has Been Revised
http://blogs.technet.com/b/fdcc/archive/2011/10/18/alert-java-s-forward-compatibility-promise-has-been-revised.aspx