Security Watch

Arguing Over Botnet Taxation Leads to No Results

The debate continues over an Internet taxation framework. Plus: Report on IE and Firefox bug issues; Small number of Microsoft patches for March.

• By Jabulani Leffall
• 03/09/2010

As a tech policy writer for a regional newspaper nearly a decade ago, I was provided with free food and hotel accommodations when visiting with various public and private sector luminaries for discussions on the possibility of an Internet taxation framework. It was a contentious confab to say the least, with heated debates around questions over whether to tax Internet transactions and access. And as usual with dealing with a quarrelsome and outspoken group of individuals, nothing got done.

Fast-forward to last week. Scott Charney, a company vice president and head of Trustworthy Computing group, suggested combating malware, hackers, infected PCs and take down botnets, by taxation. This time it's a "tax on hacks." This would be similar to what a citizen might pay out of his local sales, municipal or state taxes for police and public safety services.

Charney also said in a speech at the RSA Conference that there are 3.8 million infected botnet computers worldwide, 1 million of which are in the U.S. These computers could fall under the proposed taxation.

He suggested that such an initiative might defray the costs for public and private sector members of the IT ecosystem in deterring and combating cybercrime.

The political objections and fallout based on such a suggestion would be automatic during a recession. Observers from security vendors such as ESET, Gartner nCircle, Symantec and Qualys have all come out in various news reports questioning such a prospect with varying degrees of cynicism.

Their contention is that the private market can take care of such vulnerabilities and, at the very least, it's the access points and ISPs that should be taxed. Not Microsoft.

For his part, Randy Abrams, director technical education at ESET, went even further in his blog to assert Redmond's Autorun program needs to be cleaned up before any lofty proclamations are made.

"I appreciate the remarkable and laudable security progress Microsoft has made," wrote Abrams. "But before you, Mr. Charney, ask users to swallow a tax or fee for bot clean up, bite the bullet and clean up the autorun infection vector."

I have an idea -- stop arguing and set up a commission to study the issue. Do it four or five times, invite some reporters put out spread and let the venues be in warm weather locales. Then we can talk.

Report: IE Safer than Firefox but Patched Less
Cenzic's new application security trends report states that Internet Explorer and the open source browser from Mozilla are the two programs with the highest number of bugs. According to the report, Firefox came in as the most vulnerable with 77 bugs, or 44 percent of total browser vulnerabilities, while IE scored 44 bugs comprising of 25 percent of all browser security holes.

The kicker from the report is that while IE has proven on the whole to be safer than its counterpart, the response time to fix vulnerabilities is the worst of any browser.

"Based on feedback from the last report, we decided to publish the number of patched vulnerabilities for each browser type," said a spokesperson for Cenzic in the report. "Notably, Mozilla fixed most of its vulnerabilities with only 12 percent unpatched, where as IE still had 36 percent unpatched."

A couple of other nuggets from the report, which covers the third and fourth quarter of 2009:

-Microsoft, Adobe, Sun and HP continue to be among the top 10 vendors with the most severe vulnerabilities for the second half of 2009.

-About 82 percent of the total reported vulnerabilities, according to the report affected Web technologies, such as Web servers, applications and browsers. Web components, such as plug-ins and ActiveX, were also on the list.

Light Patch on Tuesday, Heavy Work Coming
Tuesday will be the first time since the summer of 2008 that there are no critical patches in Microsoft's monthly rollout.

Typically, March is usually a light rollout month in the wake of heavy-patch  Februarys.  For example, Microsoft issued three bulletins last March and only four in March 2008. Both of March's minor updates were released today.

That being said, March will be an aberration. The rest of the year looks to be heavy with a large number of remediation and patches on the horizon. For instance, in the last two weeks, Berend-Jan Wevera, a Google engineer presenting at  the RSA conference found a flaw in Redmond's Data Execution Prevention (DEP) function in Windows, Microsoft issued a security advisory about VBScript as it relates to Internet Explorer and Redmond also reissued a February patch after users complained the patch locked up their operating systems.

In other words, enjoy this month because the coming months look to bring a slew of updates.