Predicting Vulnerabilities, Quotes and more
Posted by jericho
Interesting article for several reasons. Below are some of the interesting quotes that stood out to me and may prove to be interesting topics.
http://news.bbc.co.uk/1/hi/technology/3485972.stm Hackers exploit Windows patches By Mark Ward Last Updated: Thursday, 26 February, 2004, 10:54 GMT
“We have never had vulnerabilities exploited before the patch was known,” [David Aucsmith, Microsoft Security Business and Technology Unit] said.
I don’t think Aucsmith nor any vendor can say this with any certainty. If a vulnerability is found by a security company and disclosed to the vendor, it leads to a patch down the road. When the patch comes out, many people will reverse engineer it to figure out the vulnerability as most of us know. On the same note, like the exploits, IDS signatures follow the exploits that follow the patches. So if an unpatched ‘0-day vulnerability’ is being exploited, how do we know? There will be a significantly lower chance of detecting such an attack to know this statement is true.
“It’s a myth that hackers find the holes,” said Nigel Beighton, who runs a research project for security firm Symantec that attempts to predict which vulnerabilities will be exploited next.
Very interesting! Symantec attempts to predict which vulnerabilities will be exploited next. I wonder how =) It would be easy to do a high level analysis (expect to see this from mi2g or Gartner): “We predict that the X vulnerability which is a remote system level compromise that does not require authentication will be widely exploited in short order.” We can all predict this and be right most of the time. I assume Symantec does something above and beyond that…
“Almost all attacks against our software are against the legacy systems,” [David Aucsmith] said. “If you want more secure software, upgrade.”
This makes you wonder if Microsoft doesn’t care more about security because these nasty vulnerabilities are the best argument for buying the latest version they offer. Beyond that, how many of the vulnerabilities last reported affect their latest products? This quote seems like pure marketing spin.
OSVDB Blog
Speaking of distributed innovation, the Open Source Vulnerability Database is a great project, dedicated to accumulating deep technical knowledge about computer security vulnerabilities, and making it freely available. And now it turns out, they have …
“We have never had vulnerabilities exploited before the patch was known,” [David Aucsmith, Microsoft Security Business and Technology Unit] said.
While I forget exactly which, as I recall that one of the various RPC DCOM vulnerabilities was first discovered because it was being used as a 0day exploit against US DOD servers.
Also, what about Internet Explorer vulnerabilities that have been exploited to install malware prior to patching? I recall an out-of-cycle emergency security patch for one of those.
Sounds like David Aucsmith either needs to get a little history lesson or a return ticket to whatever business unit he was in before he got his job in security.
Using MSIE vulnerabilities for malware is an excellent example. Given that Microsoft did not view such bugs as serious, and some researchers kept a tally of how long they had gone unpatched (Thor Larholm’s list, originally at PivX) is a testament to how untrue Aucsmith’s comments really are.
The RPC/DCOM reference makes me wish that someone in the IDS/incidents arena would take up a hobby of putting such attacks together. As they notice new exploits, note the date, then watch for vulnerability disclosures months down the road and correlate them. Having some data showing the 0days of risk would be interesting.