As Windows gets safer, old vulnerabilities still have bite

Microsoft Windows is harder to exploit than ever before, but despite the improvements in OS security, experts say it's the old wounds that hurt the most, as organizations continue to fall to cyber attacks that exploit vulnerabilities discovered - and patched - years earlier. Why?

By , ITworld |  Security

A year later, not much has changed. MS08-067 is one year older and it is still as potent a tool in the belt of penetration testers, security pros and black hat hackers as ever before. It's continued relevance, four years after it was technically fixed, presents something of a paradox: concerns about malicious attacks have pushed Microsoft's products to new heights of safety and security. And yet its customers often fail to take even simple steps to protect themselves from known attacks. Why?

Windows - safe(r) but not secure

Ten years ago, it might have been hard to imagine a list of the 10 most vulnerable software products that didn't include at least one from Microsoft. But that's what the news was last week, when anti virus software company Kaspersky Lab released its third quarter Threat Evolution Report. Of the top 10 vulnerabilities detected on user systems, not one was for Microsoft's Windows operating system or software from the Redmond, Washington company.

This, for a company whose vulnerable products were a playground for online menaces like MSBlaster, SQL Slammer and Conficker. Microsoft products, the Kaspersky report dryly noted, “no longer feature among the Top 10 products with vulnerabilities...because the automatic updates mechanism has now been well developed in recent versions of Windows OS.”

The report from Kaspersky is just the latest to suggest that Microsoft has lost its status as the software security world's whipping post. With the release of Windows 8 at the end of October, Microsoft was anxious to trump the new OS version as its most secure, ever with features like secure boot, built-in and on-by-default anti malware and improved application sandboxing features to prevent malicious programs from gaining a foothold. And Windows 8 merely stands on the shoulders of earlier Windows iterations like Windows 7 and Windows Vista, which added even more fundamental security improvements, like Address Space Layout Randomization.

Speaking at the GreyHack conference in Grenoble, France, last month, Kostya Kortchinsky, a noted security researcher who recently joined Microsoft as a Senior Security Researcher, noted that, in the last decade, the number of “interesting” (aka “exploitable”) vulnerabilities in Microsoft products has plummeted and that entire classes of vulnerabilities are now disappearing. Those include stack- and heap-based vulnerabilities, once the pepper and salt of remote attacks are disappearing in updated Microsoft products due to better security auditing features built into development tools. Even when vulnerabilities of those kinds are found within Microsoft products, security features in late model operating systems like Vista, Windows 7 and Windows 8 make them impossible to exploit, Kortchinsky said.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Spotlight on ...
Online Training

    Upgrade your skills and earn higher pay

    Readers to share their best tips for maximizing training dollars and getting the most out self-directed learning. Here’s what they said.

     

    Learn more

Answers - Powered by ITworld

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness