The reports of Microsoft’s “out of band” patch last week of a critical vulnerability in Windows all took note of how unusual it was. Out-of-band updates are unusual-the last one was MS07-017 on April 3, 2007-because Microsoft has gotten on top of the vulnerability problem better than anyone. In fact, I’d say the game is over. They win.
Of course, this doesn’t mean that Windows users are all safe now and you can stop worrying about vulnerabilities. What it does mean is that if you use current versions of their products, are diligent about applying updates soon after they come out, have reasonably good and updated security software, and maybe do some reasonable education of users over what they can and can’t do with computers, your chances of getting exploited by a vulnerability in a Microsoft product are pretty small. They have been getting smaller over time.
Part of the reason for this is explained in Microsoft’s Jeff Jones’s most recent report on desktop vulnerabilities. It’s clear that things are way better than they were a few years ago. Jones’ data shows that Microsoft has fewer and less severe vulnerabilities in its products, and that it patches them faster. And the most recent versions of Microsoft’s products, the ones developed with the SDL (Security Development Lifecycle), are the least vulnerable of all, especially Office.
For years I’ve seen this trend and figured that it should translate into a pattern in the exploitation of vulnerabilities: The older and less-urgently patched a platform is, the more likely it is to be exploited. The newer and more urgently patched a system is, the less it would be exploited. Sure enough, this pattern is borne out in Microsoft’s latest SIR (Security Intelligence Report), covering the first half of 2008. Microsoft’s data comes from its own telemetry via Windows Update, the Malicious Software Removal Tool, ForeFront products and so on, so it’s a huge sample, especially via the MSRT that runs on all systems that run Windows Update.
Consider Figure 80 in the report on Page 133, which shows the vulnerabilities behind the top browser-based exploits they collected. Browser exploits are probably the lion’s share of vulnerability exploits today. Essentially all of the exploits of Windows vulnerabilities are targeting older, unpatched platforms.
The top one, MS06-014 (Vulnerability in the Microsoft Data Access Components [MDAC] Function Could Allow Code Execution), was patched 2 1/2 years ago. Only one Microsoft vulnerability in the list affects Windows Vista, at 1.1 percent of collected samples: MS07-017 (Vulnerabilities in GDI Could Allow Remote Code Execution). The update covered several vulnerabilities, and the one that mattered was also known as CVE-2007-0038, the ANI bug.
This was a very big deal when it came out, shortly after Vista was released, but one of the facts that quickly became apparent was that if Vista were exploited it would have to be through Internet Explorer 7 in Protected Mode (unless the user turned that off), and therefore the attack could not be persistent. As a practical matter, according to Microsoft, none of the existing attacks affects IE7 in Protected Mode.
Look down the exploit list in the SIR, and you’ll see that the large majority are for vulnerabilities in third-party products, such as RealPlayer, QuickTime, BaoFeng Storm (some Chinese thing), Acrobat and so on. That’s where the real action is in vulnerability exploits; users aren’t as proactive about patching third-party products, and they aren’t as in-your-face about patching as Windows is. (This is why I’ve suggested that Microsoft offer to host patching services for third parties on Windows Update, but that’s not going to happen.)
The whole current MS08-067 Server vulnerability episode reinforces all of this for me. An update this past Friday night from the Microsoft Security Response Center repeats what I have heard, that people are patching furiously. It also notes that there is exploit code and a functioning attack. A hacker blog on 0x000000.com (love that domain name) says they have found the exploit victim list for the worm and provide the complete list, including the User-Agent strings for all of them. A Securiteam blog says, based on the IP addresses in the list, that the users are “… mainly in Australia, China, Philippines, India, Japan, Korea, Malta, Malaysia, Taiwan, and Vietnam.”
I searched the list of over 4,500 User-Agents and found seven hits for Vista systems (those with “Windows NT 6.0” in the User Agent string). Four of those are clearly test probes, and the systems were not actually infected. The other three are for a single IP address and apparently the same host, on a dial-up account with a U.S. West Cast ISP. Sounds like a test system to me. In other words, no actual Vista users were harmed in the exploitation of this vulnerability. This isn’t surprising, since the vulnerability is much harder to exploit under Vista than XP, but it’s also the point: Vista users are safer because they use Vista.
Vulnerabilities Are a Declining Factor in Security
All of this leads to another major conclusion of the report-that vulnerabilities themselves are a declining factor in security. It’s not just Microsoft, it’s an industrywide phenomenon. Malware and social engineering, often in combination, are the way most Windows users get compromised, and often they are convinced through social engineering to bypass the security features in Windows that protect them. The malware industry fights this partly with volume; Symantec now estimates that more malicious software is being written every day than legitimate software.
Even social engineering can be controlled in large part with good, tight management practices. In an enterprise, users should not in any circumstances have sufficient rights on their own systems to install software, for example. My sense is that businesses are moving in this direction, slowly. Consumers are a problem though. I run Vista as a standard user, but whenever I find nontechnical users running it, they are running as Administrator and I doubt they take UAC warnings seriously.
No doubt many Vista users are infected with malware because they just want to see the dancing pigs and ignore every warning Windows gives them. This is a tough problem to solve, but it has nothing to do with vulnerabilities, and every other operating system is as vulnerable to malware, if someone writes it, and to social engineering. Of course, almost all malware is written only for Windows.
I’ve written a lot about whitelisting lately as a logical and effective solution to malware, but one that has some serious obstacles to it, especially for consumers and small businesses. But imagine if you could do it: If vulnerabilities are becoming manageable and whitelists can be effective, we really could turn the tables on the bad guys. It almost seems in sight.
Security CenterEditor Larry Seltzer has worked in and written about the computer industry since 1983.
For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer’s blog Cheap Hack.