Security By Obscurity Doesn't Stop The Negative Day Exploits
from the just-saying... dept
This would be the latest in our ongoing series of stories about how the standard way of dealing with security problems doesn’t really work any more. It relies on a system of discovering the vulnerability, figuring out how to stop it, and then distributing a patch widely. That works for incredibly slow moving malware — but, if you hadn’t noticed, malware is learning how to spread ever faster. For years people have warned that this was going to lead to “zero-day attacks” where exploits are propagating before anyone has the chance to patch. That’s already started happening in many cases, and it demonstrates, again, why the “security by obscurity” argument some companies make, saying that everyone needs to stay quiet until they’ve patched their systems, is bogus. For example, the WMF exploit that got so much attention last month apparently was available on the black market for nearly a month before security firms started discussing it. In other words, any company that thinks keeping a security exploit quiet to prevent those with malicious intent from figuring it out are probably fooling themselves. Those with malicious intent already probably have it figured out.