As a matter of course, many software and OS vendors have pushed their products to include a wide range of capabilities and features. Often, many of these features are rarely -- if ever -- used. I know that of the dozen or so programs I use regularly, I probably only use about 10% of their built-in capabilities and functions. Why? Simply because I have a fairly regular set of work tasks and that 10% provides me with everything I need to get my work done quickly and efficiently.
However, software companies and their customers are starting to discover that the feature-rich products often have hidden costs. The costs are not just in dollars, but in lost productivity, downtime and repair time. What has been discovered is that many features, especially very old and backwards compatible features, are coming under attack by unscrupulous programmers and crackers. Now, capabilities of operating systems, services and applications that you may not even have known about are becoming gaping holes in your security perimeter.
We are all aware of the exploitation of scripting languages and auto-executable code by viruses. Anyone with Microsoft's Word, Excel, Outlook, and Internet Explorer -- in other words, anyone with a Windows OS -- has had to deal with turning off these capabilities and blocking incoming traffic to prevent exploitation. If you have Windows XP, you've had to address the issue of Universal Plug and Play and Raw Sockets -- see www.grc.com if you need more details on those.
In the last week, a new threat has reared its ugly head. A threat that takes advantage of an information distribution service and a protocol that many of today's Internet users never even heard of, a tool that was around before the Web and upon which I cut my online teeth: namely, Gopher. Gopher was a text-only hierarchical linked menu system that allowed for content searching and file downloading. It paved the way for many of the features we take for granted today on the Web. But Gopher has long lost its place in the spotlight. Being a text-only and fairly limited tool, there are barely a handful of useful Gopher servers lurking on the Internet. The new threat is based on Internet Explorer's (and possibly other browsers') support for the Gopher protocol. An adept programmer can easily submit a URL to your browser via a Web site or an e-mail that accesses the Gopher protocol to execute a command of their choice. If an unknown, unauthorized and unscrupulous individual can execute a command of their choice on your system, then you have no security, no secrets and no real control over your own computer.
Microsoft has already released a patch to correct this problem in IE. Other browser vendors are sure to follow suit if the same error is found elsewhere. However, this issue goes to show that backwards compatibility and feature richness are not always positive aspects of a product. You should think twice before deploying a new product that maintains support for older and often insecure capabilities and which boasts new powerful features.
As for a security policy component to handle this issue, you should actively monitor your system for abnormal and unauthorized activity. This is usually delegated to an intelligent IDS. You should also employ the tactic of blocking all inbound and outbound ports on your firewalls, routers, gateways and proxies that are not absolutely necessary for performing work tasks. Limiting traffic flow is only a short-term band-aid approach to dealing with this issue. Ultimately, vendors will need to supply software patches to repair problems with current products and develop new products that lack these problems.
About the author
James Michael Stewart is a researcher and writer for Lanwrights, Inc.
This was first published in June 2002