With Santa Claus on his way and another year coming to a close, it's time to start thinking about 2007. The New Year has always been a favorite time of mine as I look forward to having a clean slate. It's a blank canvas upon which I can draft a perfect chapter in the book of life and correct all the mistakes from prior years. With that in mind, I'd like to share with you my New Year's resolutions. Not for me of course, I can never keep those. These are security resolutions for vendors in the IT industry. If they can just take the time to implement these simple changes, all of our security woes will be a thing of the past, or at least we can dare to dream.

Microsoft

"Thanks for working so hard on security. Now work harder."

For some time now, I've applauded the efforts made Microsoft to improve security in their products. The Trustworthy Computing Initiative announced in 2002 has turned out to be real. Microsoft was willing to put their money where their mouth is and has come a long way in a short period of time. That said, being the 900 lb. gorilla places a large target on your back and Microsoft will always need to fight to stay ahead of the security curve and there are still some areas that need improvement.

2006 was the year of client side vulnerabilities for Microsoft as it scrambled to patch various file format vulnerabilities in Internet Explorer, Windows Media Player and especially Microsoft Office. During the course of the year, two out-of-cycle patches were released (MS06-001 and MS-055). Both of these patches were fast tracked due to the active exploitation of file format vulnerabilities. It was also an extraordinarily rough year for Microsoft Office products with over a quarter of the total security bulletins for 2006 affecting Office products, several of which were 0day vulnerabilities. In fact, as I write this, we're still waiting on patches for at least eight Microsoft 0day vulnerabilities and according to eEye and ZDI, there are more where those came from.

Microsoft has done an admirable job locking down the gaping server side vulnerabilities that led to fast spreading worms such as Sasser, Slammer and Blaster. Yet, in doing so, they have caused attackers to shift their focus to client side vulnerabilities and at the present time, attackers have the upper hand with no shortage of attack vectors. Microsoft needs to shift their focus to the client side in 2007 and aggressively plug the many holes that exist in desktop applications. Fortunately, the release of Microsoft Vista should have a positive effect on reducing the threat of client side buffer overflow vulnerabilities thanks to the inclusion of address space layout randomization (ASLR).

Apple

"2006 was a rough year. Buckle your seatbelts because 2007 will be worse."

The security team at Apple is no doubt thankful that 2006 is coming to a close. 2006 introduced the Leap-A virus and while doing minimal damage, proved that Mac was not inherently immune to viruses after all. Perhaps Steve Jobs will have to rethink the popular Mac commercial that pokes fun at viruses on PC's. Apple also had to deal with an embarrassing situation when admitting that it had shipped its popular iPod with virus infected Windows software. However, the story that grabbed the largest headlines was the presentation at the Blackhat security conference where David Maynor and Johnny Cache demonstrated an attack on a wireless Macbook driver. The ensuing media frenzy included denials from apple, angry rants from Mac users and rebuttals from the researchers. In the end Apple did release a series of patches in September for their wireless drivers but maintained that they were unrelated to the BlackHat presentation. This was followed by another patch in November to address a vulnerability uncovered by HD Moore.

Apple has learned the hard way that an increased popularity begets increased scrutiny. As the Mac platform becomes more popular, it will become an increasingly popular target for attackers. Combine this with the shift to an Intel platform, for which there is a larger base of security experts and it's not hard to expect an increase in the volume and severity of vulnerabilities in 2007. The year will begin with a bang for Apple as Kevin Finisterre, and LMH present the Month of Apple Bugs, with plans to release a new Apple bug a day throughout the month

MySpace

"It's time to move from adolescence to adulthood."

MySpace grew at an astounding pace thanks in part to lenient rules that permitted users to upload client side script. These lax rules allowed users to create dynamic pages that weren't permitted by competitors. Unfortunately, these same rules have also permitted the creation of web application worms such as Samy and the recently discovered QuickTime worm. The astounding growth of MySpace and the subsequent multi-million dollar sale demonstrate that security is not an absolute, it is simply another variable in the business equation. MySpace executives no doubt knew that they were taking risks by allowing users to become programmers and while that may not seem like an acceptable security risk, it was, at least for them, an acceptable business risk. However, MySpace is no longer the untamed teenager running around without rules. It's now part of a large corporation and has a responsibility to protect its millions of users from the phishing attacks that come with web application worms. It's time for MySpace and other social networking sites to crack down and time for users to let their voice be heard by avoiding those with poor security.

Google

"Keep sending us technologies that put security in the public spotlight."

Google has an unbelievable track record of pumping out cool new technologies. At the same time, some fear the power of these technologies as Google Hacking has become a popular tool for attackers. The Google search engine can allow attackers to identify vulnerable web sites without even needing to visit them. This year, Google added to that toolkit with Google Binary Search and Google Code Search. While these and similar technologies may allow us to uncover vulnerabilities with greater efficiency, ignoring the vulnerabilities will not make them go away. Keep up the good work Google.

Mozilla

"Keep fighting the good fight. Competition is good."

Mozilla, like Apple is in a David and Goliath fight against Microsoft and while we all love an underdog, the honeymoon period only lasts so long. While Firefox was once seen as a secure alternative to Internet Explorer, it too has been plagued with a steady stream of security vulnerabilities. Mozilla is taking security seriously according to their new Security Chief but it will be an uphill battle. IMO, the greatest gift that Firefox has provided to the security community is the challenge that it presents to Microsoft. Internet Explorer 7.0 was released this year with a strong focus on security. Would IE 7.0 have taken five years to emerge with a major investment in security had Microsoft had a monopoly in the browser market? I think not. Keep fighting the good fight Mozilla. It can be a thankless task, but we appreciate the effort.

Sony

"Sorry to hear about 2006. Hope the PS3 thing works out.

Sony is another company that is happy to see 2006 come to an end. Sony is not a software company and not therefore an entity that was used to dealing with security issues. That became evident when in late 2005 a rootkit was discovered in the copy protection software. The story unfolded in the courts throughout 2006 and thus far it has cost Sony $5.75M in settlements. My recommendation to Sony - hire a battle hardened veteran from the software industry to run security. His war stories will come in handy.

Adware vendors

"Go away."

Far too many adware vendors are nothing short of crooks in a business suit. 180solutions is one of many players in this space and it's time for law enforcement to start aggressively cracking down on this industry. Beyond this, large multinational corporations that leverage adware companies for their advertising need to be held accountable for fueling this industry.

All vendors

"Make life easier for us. Move to monthly patch cycles."

Of all vendors, I ask for one small gift in 2007 - move to regular patch cycles. All vendors building software beyond 10 lines of code will be forced to deal with vulnerabilities and patch management. It's a reality of the industry and end users have learned to cope with it but vendors can make life easier for their users by allowing them to be prepared for the release of new patches. Microsoft moved to a monthly patch cycle a couple of years back and it has gone a long way to making patch management more palatable. While we don't know what Microsoft will patch, at least we know when the patches will emerge and we can be prepared for them. Oracle takes a similar approach but has fallen short by choosing a quarterly patch cycle which is too infrequent when dozens of vulnerabilities are addressed in each round. With that volume of fixes, receiving patches every three months leaves end users exposed for far too long. Even Microsoft with a monthly cycle has learned that out of cycle patches are still required. He's one instance where everyone can learn from Microsoft's lead.

Happy holidays everyone! See you in '07!

- michael