Reduce Your Attack Surface to Reduce Security Threats
Oracle has elected not to release an out-of-band security patch to fix a critical security hole in Java. The flaw, which allows a remote attacker to take full control of an affected computer, is slated to be fixed in the next routine Critical Patch Update, which will be released in February 2013.
Even though the security researcher who discovered the vulnerability has provided Oracle with a patch, attackers will have a four-month window during which they can attempt to exploit the vulnerability. This follows an incident back in August 2012 where Oracle was found to have known about a similar critical vulnerability for months but only issued an an emergency patch to address it after hackers began to widely exploit the security hole.
It's regrettable that vendors can't always be relied upon to promptly address security issues. However, regardless of what one thinks about Oracle's actions, the unfortunate truth is that the find-and-patch approach to security is inherently problematic. The attacker is always one step ahead, the defender must always keep their systems impeccably patched, and an attack that the vendor doesn't know about will always succeed.
Reducing your attack surface is a strategy that will help you minimize the number of security threats you are exposed to, whether they are promptly fixed or not. It means, simply, trying to reduce the number of potential targets you present to a would-be attacker. By turning off unnecessary services, uninstalling disused programs, and reducing the amount of external code that your own software depends on, you decrease the number of potential vulnerabilities you are exposed to.
Apple has done just this by removing its Java build from all Macs in a recent update. Security experts are recommending users do the same, especially with regards to the Java browser plug-in. Very few websites use Java nowadays, and the plug-in is by far the easiest way for a remote attacker to exploit a Java vulnerability.
Is the concept of an attack surface something people are aware of where you work? What kinds of steps do you take to weed out software or features that could become a liability?
