Consider this scene: it's October, 2011. Security researchers gathered in Louisville, Kentucky for the annual DerbyCon security conference. On the schedule that year, alongside presentations on “Advanced Nmap Scripting” and “anti forensic techniques,” was a humble birthday party for, of all things, a software vulnerability. But this wasn't just any software vulnerability. This was CVE-2008-4250, the dreaded Server Service vulnerability, which Microsoft patched in October, 2008, three years prior, when it released MS08-067, a software update for all affected Windows systems.
So why the party in Louisville? Why a supermarket sheet cake with the Microsoft logo, some shell script and an image of the super-evil Marvel hero Magneto launching an ICBM? Consider it a show of respect amongst the assembled - many of them IT security professionals and penetration testers - for a vulnerability that helped them bring home the bacon month after month.
The vulnerability patched by MS08-067 concerned a problem with the way the Server service on Windows handled certain kinds of requests sent using Remote Procedure Call (RPC), a commonly used application protocol. Attackers who could exploit the hole could remotely compromise and take full control of an affected Windows system. Nearly every supported version of Windows was affected, leaving them wide open to remote exploit. In October, 2011, a full three years after a fix for that vulnerability was released, enough of those systems were still around, and still vulnerable that the MS08-067 was considered alive and kicking.
“As a Penetration Tester, this vulnerability is sought out because it is highly reliable and very low risk,” the penetration testers at the firm SecureState observed at the time. “As an attacker, the simple fact is the attack still works.”
A year later, not much has changed. MS08-067 is one year older and it is still as potent a tool in the belt of penetration testers, security pros and black hat hackers as ever before. It's continued relevance, four years after it was technically fixed, presents something of a paradox: concerns about malicious attacks have pushed Microsoft's products to new heights of safety and security. And yet its customers often fail to take even simple steps to protect themselves from known attacks. Why?
Windows - safe(r) but not secure
Ten years ago, it might have been hard to imagine a list of the 10 most vulnerable software products that didn't include at least one from Microsoft. But that's what the news was last week, when anti virus software company Kaspersky Lab released its third quarter Threat Evolution Report. Of the top 10 vulnerabilities detected on user systems, not one was for Microsoft's Windows operating system or software from the Redmond, Washington company.
This, for a company whose vulnerable products were a playground for online menaces like MSBlaster, SQL Slammer and Conficker. Microsoft products, the Kaspersky report dryly noted, “no longer feature among the Top 10 products with vulnerabilities...because the automatic updates mechanism has now been well developed in recent versions of Windows OS.”
The report from Kaspersky is just the latest to suggest that Microsoft has lost its status as the software security world's whipping post. With the release of Windows 8 at the end of October, Microsoft was anxious to trump the new OS version as its most secure, ever with features like secure boot, built-in and on-by-default anti malware and improved application sandboxing features to prevent malicious programs from gaining a foothold. And Windows 8 merely stands on the shoulders of earlier Windows iterations like Windows 7 and Windows Vista, which added even more fundamental security improvements, like Address Space Layout Randomization.
Speaking at the GreyHack conference in Grenoble, France, last month, Kostya Kortchinsky, a noted security researcher who recently joined Microsoft as a Senior Security Researcher, noted that, in the last decade, the number of “interesting” (aka “exploitable”) vulnerabilities in Microsoft products has plummeted and that entire classes of vulnerabilities are now disappearing. Those include stack- and heap-based vulnerabilities, once the pepper and salt of remote attacks are disappearing in updated Microsoft products due to better security auditing features built into development tools. Even when vulnerabilities of those kinds are found within Microsoft products, security features in late model operating systems like Vista, Windows 7 and Windows 8 make them impossible to exploit, Kortchinsky said.
Long in the tooth, critical vulnerabilities still have bite
Problem solved, right? Not so fast. While it's true that Windows is harder to break into than ever, Windows vulnerabilities are still among the most often used to break into corporate networks. The sad truth is that the rapid improvements in software security are being undercut by endemic problems: insecure applications, complex and brittle IT environments and a new generation of sophisticated and stealthy attacks.
For just one measure of this, consider the security firm Rapid7's recent inquiry into which exploit modules for its Metasploit penetration testing framework users were the most interested in. To try to get a measure of this, the company looked at what visitors to metasploit.com were looking for when they searched its exploit database. They found high interest in hot new exploits. The module for exploiting MS12-020 was the most searched for exploit.
However, many of the most sought after exploits were for vulnerabilities that were down-right geriatric: MS08-067 was the second most searched for exploit, and a relative youngster at four years old. Number three? How about the Microsoft Server Service NetpwPathCanonicalize Overflow - MS06-040 - a six year old vulnerability. Number four? Microsoft's RPC DCOM Interface Overlflow, MS03-026 - that's right: a nine year old vulnerability. Number five: the exploit for MS10-006, a two year-old Windows 7 and Windows Server 2008 client infinite loop useful in doing DDoS attacks. In fact, of the top 10 exploit modules in April, 2012, just two were for vulnerabilities discovered in 2012, according to a post by Christian Kirsch on Rapid 7's blog.
Justin Seitz, a senior security researcher at the penetration testing firm Immunity Inc. said that its not uncommon for his testers to find systems that haven't applied older patches like MS08-067 even today - and even in Immunity's customer base of Fortune 500 firms. “You definitely see it - though not in high numbers,” he said. Typically, it's not that the vulnerable system has been overlooked. More commonly, it's a critical element of a mission critical system that can't be patched, or that's considered low value.
“You might have a legacy system that's part of a (financial services company's) trading fabric,” he said. In other cases, the vulnerable systems are outside the purview of IT - nested in development and QA (quality assurance) environments where IT hasn't applied patches because the systems are developer-managed.
But even if those systems are known risks, they can still give attackers a toe-hold within an organization, said Seitz. “You're only going to break into infrastructure one of two ways: either they haven't patched something, or you're going to burn a zero day,” he said, referring to a previously undiscovered security hole. The former scenario is far more likely than the latter, Seitz said.
Eric Baize, the Senior Director of the Product Security Office at EMC Corp. said that exploitable vulnerabilities in common software like Windows, Adobe's Reader and Java are the unlocked doors and windows of corporate security: even sophisticated cyber attackers will look for them first, before moving on to more sophisticated breaking and entering strategies - such as spear phishing attacks or zero day vulnerabilities.
Putting sophisticated hackers aside, having systems on your network vulnerable to aged and well-worn exploits also makes your organization a target to the much larger population of opportunistic attackers, as well, said Matt Dean, the chief operating officer at the security firm Firemon. “Many of the attacks we see are more about (attackers) finding things that can be exploited, and that they know how to exploit than they are about targeting a specific company,” he said.
No easy fix
In the final analysis, our experts say that the steady improvement in the security of Windows is great news - but may not do much to improve the overall security of organizations. That's especially true if attackers can continue to rely on vulnerable legacy systems, or move to other targets of opportunity.
Dean, of Firemon, said that organizations have to deny attackers easy and powerful attacks, such as those enabled by MS08-067 and other common security holes, even if they lurk on systems that seem isolated or low-risk. “You've got to really worry about vulnerabilities in remote access protocols like RPC, SSH, Telnet and FTP - anything that will give you remote control of a system,” he said.
Seitz of Immunity said that web-based application servers are a common point of entry, as well, using SQL injection attacks that grant them access to back end database servers. From there, attackers can often move deeper into a network, Seitz said.
And, in the age of ‘advanced persistent threats,' organizations need to consider those alternative attack methods, and think bigger than just “patching” and malware detection, says Baize of EMC. Companies need to develop secure processes that include patching, network monitoring, endpoint configuration management and other IT controls.
“Patching and tracking assets are steps number one and two of being safe,” he said. “But they're not the last steps.” “Most of our customers, when I meet with CSOs, are not talking about patching. They're talking about advanced security operations centers and how to get threat intelligence out of their networks. Early detection is key.”
And, even with both patching and process in place, companies should still be prepared for the unknown - new attack vectors, unknown vulnerabilities and other surprises, Baize cautioned.
“The challenge of the (IT) maturity model is that the more you learn, the more you discover what you don't know,” he said.