Sophos: Mind your software defaults

update Vendors and users need to give more thought to software or product configurations, or risk compromising security posture, say security experts.

update Organizations need to pay attention to software configurations and control them appropriately, or risk compromising their security posture, industry experts have warned.

Users can be better protected if more thought was given to the default product configuration, Fraser Howard, principal virus researcher at SophosLabs, pointed out in a recent blog post.

One case in point was Adobe Reader, which runs embedded JavaScript by default. That leaves an open door to the attacker, as seen in recent PDF-based attacks. "Given the growth in malware using PDFs as a point of entry, why do we accept the decision to enable such functionality by default?" Howard questioned.

Elaborating on Howard's argument, Paul Ducklin, Sophos' Asia-Pacific head of technology, said software and hardware vendors are sometimes too keen to show off the functionalities available in their products. "They turn that functionality on because it is there, rather than because it is necessary or important."

Default settings, he noted, are not a new problem. About a decade ago, the main vehicles for malware infection were macro viruses or Trojans in Microsoft Office files. This was partly due to "full-blown macro programming functionality" in every Office installation--a feature a user couldn't turn off even if that person wanted to, Ducklin pointed out.

"Presumably, Microsoft was afraid that if they allowed people consensually to [disable] Office's macro-handling capacity, some users might begin to think that macros weren't possible at all in Office, which might reduce the overall appeal of the product, or lead to bad reviews, or end up in unfavorable comparisons with competing products which did obviously have such a feature. So, in Office history, features won out over security for some years," said Ducklin.

"Eventually, Microsoft began to add operational restrictions to the macro system so that it retained almost all of its usefulness in real life, whilst breaking some key behaviors on which malware authors had relied," he continued. "Macro viruses then began to wither and die out. These days, they are rarely seen."

Firewalls and routers, added Ducklin, also come with default settings that make them easier to deploy but could be reconfigured by malware authors before the automatic settings are changed. "For example...default accounts and passwords on systems such as new routers and firewalls should work only for the purpose of setting non-default passwords, and the device shouldn't begin to function as a router or firewall until such changes have been made."

Rohit Dhamankar, director of security research at TippingPoint's DVLabs, pointed out in an e-mail that vulnerabilities that are due to misconfiguration or default settings make up a small 2 percent of the total discovered pool. TippingPoint routinely discovers and publishes advisories of vulnerabilities in software through its Zero Day Initiative.

"However, depending on the install base of the product, the effects can be extreme," he noted. "For instance, a network router vulnerable to default password or SNMP (Simple Network Management Protocol) community string can allow an attacker to control an organization's network."

According to Sophos' Ducklin, features and ease-of-use or ease-of-deployment may often triumph over security, but prevention is nonetheless better than cure. Vendors should turn "possibly dangerous features off by default" and monitor closely what happens when well-informed early adopters opt to activate those features, he advised.