A year later, not much has changed. MS08-067 is one year older and it is still as potent a tool in the belt of penetration testers, security pros and black hat hackers as ever before. It's continued relevance, four years after it was technically fixed, presents something of a paradox: concerns about malicious attacks have pushed Microsoft's products to new heights of safety and security. And yet its customers often fail to take even simple steps to protect themselves from known attacks. Why?
Windows - safe(r) but not secure
Ten years ago, it might have been hard to imagine a list of the 10 most vulnerable software products that didn't include at least one from Microsoft. But that's what the news was last week, when anti virus software company Kaspersky Lab released its third quarter Threat Evolution Report. Of the top 10 vulnerabilities detected on user systems, not one was for Microsoft's Windows operating system or software from the Redmond, Washington company.
This, for a company whose vulnerable products were a playground for online menaces like MSBlaster, SQL Slammer and Conficker. Microsoft products, the Kaspersky report dryly noted, “no longer feature among the Top 10 products with vulnerabilities...because the automatic updates mechanism has now been well developed in recent versions of Windows OS.”
The report from Kaspersky is just the latest to suggest that Microsoft has lost its status as the software security world's whipping post. With the release of Windows 8 at the end of October, Microsoft was anxious to trump the new OS version as its most secure, ever with features like secure boot, built-in and on-by-default anti malware and improved application sandboxing features to prevent malicious programs from gaining a foothold. And Windows 8 merely stands on the shoulders of earlier Windows iterations like Windows 7 and Windows Vista, which added even more fundamental security improvements, like Address Space Layout Randomization.
Speaking at the GreyHack conference in Grenoble, France, last month, Kostya Kortchinsky, a noted security researcher who recently joined Microsoft as a Senior Security Researcher, noted that, in the last decade, the number of “interesting” (aka “exploitable”) vulnerabilities in Microsoft products has plummeted and that entire classes of vulnerabilities are now disappearing. Those include stack- and heap-based vulnerabilities, once the pepper and salt of remote attacks are disappearing in updated Microsoft products due to better security auditing features built into development tools. Even when vulnerabilities of those kinds are found within Microsoft products, security features in late model operating systems like Vista, Windows 7 and Windows 8 make them impossible to exploit, Kortchinsky said.