Exploits in the "Wild West"

This just hasn’t been a great year for the security of applications or responsible disclosure, has it. First we have the Month of Apple Bugs (which is finding a number of application-specific vulnerabilities), then we have a raft of Adobe product vulnerabilities. Now we have VeriSign offering a substantial bounty for people to poke holes in IE7 and Vista.

It seems that what we’re seeing in the malware world is also happening in the vulnerability world. Financial motivation, a vast increase in overall traffic with no one incident being particularly huge, and a general feeling of being in the Wild West. Lawlessness and vigilantism seems to be the order of the day. That doesn’t generally lead one to feel like the internet is a shiny, happy place.

But what are we to do about this? Telling people they’re naughty and need to behave, when they’re getting such notoriety or financial gain obviously isn’t going to work. Making the notoriety and money stop coming is a largely futile effort as well, it would seem. Even suing Adware makers, as an example, seems to be reasonably ineffective.

Maybe the key lies in the consumer side of the equation. Maybe as the general populace becomes more aware of what things to avoid, and what things to do to protect themselves, this will become a moot point. The glut of malware and vulnerabilities will be like flies buzzing in our ears – an academic concern rather than a constant state of emergency. I do find it hopeful that people are becoming more aware of security issues, even if we have a very long way to go yet.