‘Sexy’ talk and security? Gross

Marcus Carey, a security researcher with Rapid7, described one of the flaws Microsoft patched yesterday as “sexy.” Gross.

He was talking about a vulnerability in the Bluetooth technology within Vista and Windows 7 that could be used to take control of a nearby PC. The flaw and fix is outlined in Microsoft bulletin MS11-053.

Here’s the quote, included in a Patch Tuesday story written by my colleague, Gregg Keizer:

“This one’s sexy,” said Carey. “It’s classical spy kind of stuff, being able to access [a PC] using Bluetooth when [the victim] doesn’t even know you’re there. All [an attacker] would have to do is go to Washington, D.C. or northern Virginia, where lots of U.S. government employees work, and sit at a Starbucks or somewhere else with free Wi-Fi.”

Sign up today.

Get your morning news fix with the daily Salted Hash e-newsletter!

Now, this post isn’t meant to bash Carey. I know him and respect him. He’s a good guy, and I know what he’s getting at with that quote.

I just think it’s gross is all.

Sophisticated? Sure. Dangerous? Perhaps.

Sexy?

Gross.

Look at the language in Microsoft’s bulletin and tell me if you think it sounds sexy:

This security update resolves a privately reported vulnerability in the Windows Bluetooth Stack. The vulnerability could allow remote code execution if an attacker sent a series of specially crafted Bluetooth packets to an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. This vulnerability only affects systems with Bluetooth capability.

This security update is rated Critical for all supported editions of Windows Vista and Windows 7. For more information, see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses the vulnerability by modifying the way that the Windows Bluetooth Stack handles objects in memory.

Nothing sexy there. Technical, mechanical, yes. But it’s about as sexy as walking into your parents’ bedroom and catching them in a, um, intimate moment.

Gross.

I sometimes catch flack for harping on this industry’s particular words, phrases and attitudes. That’s OK. I like a good debate. Some argue that I should keep the subject matter on the technical nuts and bolts. We do that plenty on CSOonline. Our “Toolbox” features are a perfect example of that. But we look at security from all angles: The machinery, the software and yes, the people and the language.

In this case, words are important because the right words can rally the community to counter a specific threat. Words can also lead the community to a lot of mischief and harm.

On the surface, calling something sexy is no big deal. But sexy is supposed to describe something good. Windows vulnerabilities are not good. Interesting, yes. But not good. Not sexy.

I’ll admit I have a knee-jerk reaction to the word sexy, mainly because it’s used in the news world in a manner I hate.

For years I’ve been listening to editors say something like this: “We should do a story on (pick your topic). It’s sexy.”

In this case, sexy means we can slap a crude headline on the article and get a gazillion page views.

It also means the subject matter will probably be something I don’t see as particularly threatening or useful.

That’s my opinion, anyway.

I hope Marcus doesn’t take this personally. Like I said, he’s a good guy and great at what he does. I thank him in advance for letting me have a little fun at his expense.

–Bill Brenner

one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

CSO’s Daily Dashboard gives you a