Systems still get exploited through vulnerabilities, but it's a declining factor and there isn't a good reason for it anymore. If you use up-to-date products and take reasonable precautions, your chances of getting hit are small and decreasing.
The reports of Microsoft's "out of band" patch last week of
a
critical vulnerability in Windows all took note of how unusual it was.
Out-of-band updates are unusual-the last one was
MS07-017
on April 3, 2007-because Microsoft has gotten on top of the vulnerability
problem better than anyone. In fact, I'd say the game is over. They win.
Of course, this doesn't mean that Windows users are all safe now and you can
stop worrying about vulnerabilities. What it does mean is that if you use
current versions of their products, are diligent about applying updates soon
after they come out, have reasonably good and updated security software, and
maybe do some reasonable education of users over what they can and can't do
with computers, your chances of getting exploited by a vulnerability in a
Microsoft product are pretty small. They have been getting smaller over time.
Part of the reason for this is explained in
Microsoft's
Jeff Jones's most recent report on desktop vulnerabilities. It's clear that
things are way better than they were a few years ago. Jones' data shows that
Microsoft has fewer and less severe vulnerabilities in its products, and that it
patches them faster. And the most recent versions of Microsoft's products, the
ones developed with the SDL (Security Development Lifecycle), are the least
vulnerable of all, especially Office.
For years I've seen this trend and figured that it should translate into a
pattern in the exploitation of vulnerabilities: The older and less-urgently
patched a platform is, the more likely it is to be exploited. The newer and
more urgently patched a system is, the less it would be exploited. Sure enough,
this pattern is borne out in
Microsoft's
latest SIR (Security Intelligence Report), covering the first half of 2008.
Microsoft's data comes from its own telemetry via Windows Update, the Malicious
Software Removal Tool, ForeFront products and so on, so it's a huge sample,
especially via the MSRT that runs on all systems that run Windows Update.
Consider Figure 80 in the report on Page 133, which shows the
vulnerabilities behind the top browser-based exploits they collected. Browser
exploits are probably the lion's share of vulnerability exploits today.
Essentially all of the exploits of Windows vulnerabilities are targeting older,
unpatched platforms.
The top one,
MS06-014
(Vulnerability in the Microsoft Data Access Components [MDAC] Function Could
Allow Code Execution), was patched 2 1/2 years ago. Only one Microsoft
vulnerability in the list affects Windows Vista, at 1.1 percent of collected
samples:
MS07-017
(Vulnerabilities in GDI Could Allow Remote Code Execution). The update
covered several vulnerabilities, and the one that mattered was also known as
CVE-2007-0038,
the ANI bug.
This was a very big deal when it came out, shortly after Vista was released,
but one of the facts that quickly became apparent was that if Vista were
exploited it would have to be through Internet Explorer 7 in Protected Mode
(unless the user turned that off), and therefore the attack could not be
persistent. As a practical matter, according to Microsoft, none of the existing
attacks affects IE7 in Protected Mode.
Look down the exploit list in the SIR, and you'll see that the large
majority are for vulnerabilities in third-party products, such as RealPlayer,
QuickTime,
BaoFeng Storm
(some Chinese thing), Acrobat and so on. That's where the real action is in
vulnerability exploits; users aren't as proactive about patching third-party
products, and they aren't as in-your-face about patching as Windows is. (This
is why
I've
suggested that Microsoft offer to host patching services for third parties on
Windows Update, but that's not going to happen.)
The whole current MS08-067 Server vulnerability episode reinforces all of
this for me.
An
update this past Friday night from the Microsoft Security Response Center
repeats what I have heard, that people are patching furiously. It also notes
that there is exploit code and a functioning attack.
A hacker blog on 0x000000.com
(love that domain name) says they have found the exploit victim list for the
worm and provide the complete list, including the User-Agent strings for all of
them.
A
Securiteam blog says, based on the IP addresses in the list, that the users
are "... mainly in Australia,
China, Philippines,
India, Japan,
Korea, Malta,
Malaysia, Taiwan,
and Vietnam."
I searched the list of over 4,500 User-Agents and found seven hits for Vista
systems (those with "Windows NT 6.0" in the User Agent string). Four
of those are clearly test probes, and the systems were not actually infected.
The other three are for a single IP address and apparently the same host, on a
dial-up account with a U.S. West Cast ISP. Sounds like a test system to me. In
other words, no actual Vista users were harmed in the
exploitation of this vulnerability. This isn't surprising, since the
vulnerability is much harder to exploit under Vista than
XP, but it's also the point: Vista users are safer
because they use Vista.
Email
Print
