Re: [ISN] What spooks Microsoft's chief security advisor

From: InfoSec News (alerts@private)
Date: Sun Mar 30 2008 - 22:21:17 PST


Forwarded from: security curmudgeon <jericho (at) attrition.org>

: http://www.networkworld.com/news/2008/032608-microsoft-security-concerns.html
:
: By Bob Brown

[..]

: Speaking at the Boston SecureWorld conference Wednesday, the 19-year 
: Microsoft veteran whose job includes protecting enterprises, 
: developers and Microsoft itself said there actually is plenty of good 
: news on the security front. For example, his outfit scans a half 
: million devices (with customer permission) per month and in the first 
: half of last year saw the first period-over-period decline in new 
: vulnerabilities disclosed across Microsoft and non-Microsoft software 
: since 2003.
:
: However, 3,400 new vulnerabilities were discovered and "it's still a 
: big number," Arsenault says. .So if vulnerability rates are down, 
: where are they?.

Oh where to begin..

The drop in vulnerabilities disclosed in 2007 seems to be a 'fact' that 
many journalists and some industry denizens latched on to at some point 
over the last few months. As with many statistics/metrics, once boiled 
down to a soundbyte they lose a lot of the caveats, disclaimers and 
warnings.

The number '3400' likely comes from CVE/NVD which is a specialized 
vulnerability database (VDB) designed to assign a tracking number and 
standard naming scheme to vulnerabilities. In doing so, CVE will merge 
multiple vulnerabilities into a single entry if the vulnerability is 
essentially the same (10 scripts all vulnerable to RFI) or if there is 
no actionable information due to a vague disclosure (10 Oracle vulns). 
Even though one CVE may have as many as 80 or more distinct 
vulnerabilities, they get counted as *1* vulnerability by many people 
using CVE as their source for vulnerability disclosure metrics.

What happens when you take the 3,400 from CVE and expand it to account 
for the above, and then throw in vulnerabilities that they did not 
catalog due to a lack of resources? At least 8,252 in 2007 that I know 
of. Yes, that is 'down' from the previous year (10,553) but still 
doesn't consider changes in the vulnerability disclosure world. The 
value of working 0-day has gone up and the incentive to disclose is 
going down. In addition to financial value of such information, the 
threat of lawsuit from vendors, the trends in disclosure (it's no longer 
"RFI year") and the resources assigned to track all of this, there are a 
lot more factors that must be considered before throwing such numbers 
out. To do so is irresponsible and misleading at best.

Next, Arsenault slips up even worse by saying "3,400 new vulnerabilities 
were DISCOVERED" which is just blatantly false. We know vulnerabilities 
are discovered and not disclosed. Sometimes they are used for the 
dreaded "0-day", sometimes they are quietly fixed by the vendor. Either 
way, the number of vulnerabilities in any VDB is not a reflection on 
what was discovered, just what was disclosed in specific forums.

: One trend that pops out is that attackers are increasingly laying off 
: operating systems and exploiting applications instead. One reason for 
: this, Arsenault says, is that vendors like Microsoft, Apple and RedHat 
: have done a good job in recent years securing the IP stack and 
: operating system.

Or one may argue that increasingly, these operating systems and TCP/IP 
stacks sit behind cheap routers provided with broadband access. You can 
no longer remotely pop a Windows box as easy as you could years ago 
simply because you can't pass traffic directly to it.

Since the applications are originating the connection outbound, the 
router is happily passing traffic back to it per the user's request. The 
exploit vector is much more likely to work. Even better, that fancy 
browser based bug may be cross-platform!

: "This is not a problem that people should be thinking is just an 
: Office problem," he said. "It's anybody who uses file formats that are 
: not XML based going forward." Adobe, Corel and Google are among others 
: facing similar challenges, Arsenault said.

Uh, is Arsenault implying that using XML is somehow safe from file 
handling vulnerabilities?

Apple Mac OS X Foundation NSXML XML File Handling Arbitrary Code 
Execution - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-0059

Opera XML Document Handling Crafted Attribute Sanitization Filter Bypass 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-1082

Mozilla Multiple Products XML Document XMLDocument.cloneNode() Function 
Arbitrary Script Code Execution 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-0415

: On a positive note, Microsoft is seeing the amount of publicly 
: exploitable code, at least for its own software, shrink. But Arsenault 
: does sweat over whether there.s really less exploitable code, or 
: whether it.s more a case of such code just being kept secret by nation 
: states looking to wage cyberwar.

See above. There is a serious financial value to working exploit code 
for such vulnerabilities. Even the most public pay-for-vuln shops like 
iDefense and TippingPoint/ZDI will pay *tens of thousands of dollars* 
for Microsoft Windows exploit code.


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Sun Mar 30 2008 - 22:36:09 PST