Vulnerabilities Fade from the Threat Foreground

By Larry Seltzer  |  Posted 2008-11-03 Print this article Print

Systems still get exploited through vulnerabilities, but it's a declining factor and there isn't a good reason for it anymore. If you use up-to-date products and take reasonable precautions, your chances of getting hit are small and decreasing.

The reports of Microsoft's "out of band" patch last week of a critical vulnerability in Windows all took note of how unusual it was. Out-of-band updates are unusual-the last one was MS07-017 on April 3, 2007-because Microsoft has gotten on top of the vulnerability problem better than anyone. In fact, I'd say the game is over. They win.

Of course, this doesn't mean that Windows users are all safe now and you can stop worrying about vulnerabilities. What it does mean is that if you use current versions of their products, are diligent about applying updates soon after they come out, have reasonably good and updated security software, and maybe do some reasonable education of users over what they can and can't do with computers, your chances of getting exploited by a vulnerability in a Microsoft product are pretty small. They have been getting smaller over time.

Part of the reason for this is explained in Microsoft's Jeff Jones's most recent report on desktop vulnerabilities. It's clear that things are way better than they were a few years ago. Jones' data shows that Microsoft has fewer and less severe vulnerabilities in its products, and that it patches them faster. And the most recent versions of Microsoft's products, the ones developed with the SDL (Security Development Lifecycle), are the least vulnerable of all, especially Office.

For years I've seen this trend and figured that it should translate into a pattern in the exploitation of vulnerabilities: The older and less-urgently patched a platform is, the more likely it is to be exploited. The newer and more urgently patched a system is, the less it would be exploited. Sure enough, this pattern is borne out in Microsoft's latest SIR (Security Intelligence Report), covering the first half of 2008. Microsoft's data comes from its own telemetry via Windows Update, the Malicious Software Removal Tool, ForeFront products and so on, so it's a huge sample, especially via the MSRT that runs on all systems that run Windows Update.

Consider Figure 80 in the report on Page 133, which shows the vulnerabilities behind the top browser-based exploits they collected. Browser exploits are probably the lion's share of vulnerability exploits today. Essentially all of the exploits of Windows vulnerabilities are targeting older, unpatched platforms.

The top one, MS06-014 (Vulnerability in the Microsoft Data Access Components [MDAC] Function Could Allow Code Execution), was patched 2 1/2 years ago. Only one Microsoft vulnerability in the list affects Windows Vista, at 1.1 percent of collected samples: MS07-017 (Vulnerabilities in GDI Could Allow Remote Code Execution). The update covered several vulnerabilities, and the one that mattered was also known as CVE-2007-0038, the ANI bug.

This was a very big deal when it came out, shortly after Vista was released, but one of the facts that quickly became apparent was that if Vista were exploited it would have to be through Internet Explorer 7 in Protected Mode (unless the user turned that off), and therefore the attack could not be persistent. As a practical matter, according to Microsoft, none of the existing attacks affects IE7 in Protected Mode.

Look down the exploit list in the SIR, and you'll see that the large majority are for vulnerabilities in third-party products, such as RealPlayer, QuickTime, BaoFeng Storm (some Chinese thing), Acrobat and so on. That's where the real action is in vulnerability exploits; users aren't as proactive about patching third-party products, and they aren't as in-your-face about patching as Windows is. (This is why I've suggested that Microsoft offer to host patching services for third parties on Windows Update, but that's not going to happen.)

The whole current MS08-067 Server vulnerability episode reinforces all of this for me. An update this past Friday night from the Microsoft Security Response Center repeats what I have heard, that people are patching furiously. It also notes that there is exploit code and a functioning attack. A hacker blog on (love that domain name) says they have found the exploit victim list for the worm and provide the complete list, including the User-Agent strings for all of them. A Securiteam blog says, based on the IP addresses in the list, that the users are "... mainly in Australia, China, Philippines, India, Japan, Korea, Malta, Malaysia, Taiwan, and Vietnam."

I searched the list of over 4,500 User-Agents and found seven hits for Vista systems (those with "Windows NT 6.0" in the User Agent string). Four of those are clearly test probes, and the systems were not actually infected. The other three are for a single IP address and apparently the same host, on a dial-up account with a U.S. West Cast ISP. Sounds like a test system to me. In other words, no actual Vista users were harmed in the exploitation of this vulnerability. This isn't surprising, since the vulnerability is much harder to exploit under Vista than XP, but it's also the point: Vista users are safer because they use Vista.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel