Long in the tooth, critical vulnerabilities still have bite
Problem solved, right? Not so fast. While it's true that Windows is harder to break into than ever, Windows vulnerabilities are still among the most often used to break into corporate networks. The sad truth is that the rapid improvements in software security are being undercut by endemic problems: insecure applications, complex and brittle IT environments and a new generation of sophisticated and stealthy attacks.
For just one measure of this, consider the security firm Rapid7's recent inquiry into which exploit modules for its Metasploit penetration testing framework users were the most interested in. To try to get a measure of this, the company looked at what visitors to metasploit.com were looking for when they searched its exploit database. They found high interest in hot new exploits. The module for exploiting MS12-020 was the most searched for exploit.
However, many of the most sought after exploits were for vulnerabilities that were down-right geriatric: MS08-067 was the second most searched for exploit, and a relative youngster at four years old. Number three? How about the Microsoft Server Service NetpwPathCanonicalize Overflow - MS06-040 - a six year old vulnerability. Number four? Microsoft's RPC DCOM Interface Overlflow, MS03-026 - that's right: a nine year old vulnerability. Number five: the exploit for MS10-006, a two year-old Windows 7 and Windows Server 2008 client infinite loop useful in doing DDoS attacks. In fact, of the top 10 exploit modules in April, 2012, just two were for vulnerabilities discovered in 2012, according to a post by Christian Kirsch on Rapid 7's blog.
Justin Seitz, a senior security researcher at the penetration testing firm Immunity Inc. said that its not uncommon for his testers to find systems that haven't applied older patches like MS08-067 even today - and even in Immunity's customer base of Fortune 500 firms. “You definitely see it - though not in high numbers,” he said. Typically, it's not that the vulnerable system has been overlooked. More commonly, it's a critical element of a mission critical system that can't be patched, or that's considered low value.
“You might have a legacy system that's part of a (financial services company's) trading fabric,” he said. In other cases, the vulnerable systems are outside the purview of IT - nested in development and QA (quality assurance) environments where IT hasn't applied patches because the systems are developer-managed.