Forwarded from: security curmudgeon <jericho (at) attrition.org> : http://www.networkworld.com/news/2008/032608-microsoft-security-concerns.html : : By Bob Brown [..] : Speaking at the Boston SecureWorld conference Wednesday, the 19-year : Microsoft veteran whose job includes protecting enterprises, : developers and Microsoft itself said there actually is plenty of good : news on the security front. For example, his outfit scans a half : million devices (with customer permission) per month and in the first : half of last year saw the first period-over-period decline in new : vulnerabilities disclosed across Microsoft and non-Microsoft software : since 2003. : : However, 3,400 new vulnerabilities were discovered and "it's still a : big number," Arsenault says. .So if vulnerability rates are down, : where are they?. Oh where to begin.. The drop in vulnerabilities disclosed in 2007 seems to be a 'fact' that many journalists and some industry denizens latched on to at some point over the last few months. As with many statistics/metrics, once boiled down to a soundbyte they lose a lot of the caveats, disclaimers and warnings. The number '3400' likely comes from CVE/NVD which is a specialized vulnerability database (VDB) designed to assign a tracking number and standard naming scheme to vulnerabilities. In doing so, CVE will merge multiple vulnerabilities into a single entry if the vulnerability is essentially the same (10 scripts all vulnerable to RFI) or if there is no actionable information due to a vague disclosure (10 Oracle vulns). Even though one CVE may have as many as 80 or more distinct vulnerabilities, they get counted as *1* vulnerability by many people using CVE as their source for vulnerability disclosure metrics. What happens when you take the 3,400 from CVE and expand it to account for the above, and then throw in vulnerabilities that they did not catalog due to a lack of resources? At least 8,252 in 2007 that I know of. Yes, that is 'down' from the previous year (10,553) but still doesn't consider changes in the vulnerability disclosure world. The value of working 0-day has gone up and the incentive to disclose is going down. In addition to financial value of such information, the threat of lawsuit from vendors, the trends in disclosure (it's no longer "RFI year") and the resources assigned to track all of this, there are a lot more factors that must be considered before throwing such numbers out. To do so is irresponsible and misleading at best. Next, Arsenault slips up even worse by saying "3,400 new vulnerabilities were DISCOVERED" which is just blatantly false. We know vulnerabilities are discovered and not disclosed. Sometimes they are used for the dreaded "0-day", sometimes they are quietly fixed by the vendor. Either way, the number of vulnerabilities in any VDB is not a reflection on what was discovered, just what was disclosed in specific forums. : One trend that pops out is that attackers are increasingly laying off : operating systems and exploiting applications instead. One reason for : this, Arsenault says, is that vendors like Microsoft, Apple and RedHat : have done a good job in recent years securing the IP stack and : operating system. Or one may argue that increasingly, these operating systems and TCP/IP stacks sit behind cheap routers provided with broadband access. You can no longer remotely pop a Windows box as easy as you could years ago simply because you can't pass traffic directly to it. Since the applications are originating the connection outbound, the router is happily passing traffic back to it per the user's request. The exploit vector is much more likely to work. Even better, that fancy browser based bug may be cross-platform! : "This is not a problem that people should be thinking is just an : Office problem," he said. "It's anybody who uses file formats that are : not XML based going forward." Adobe, Corel and Google are among others : facing similar challenges, Arsenault said. Uh, is Arsenault implying that using XML is somehow safe from file handling vulnerabilities? Apple Mac OS X Foundation NSXML XML File Handling Arbitrary Code Execution - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-0059 Opera XML Document Handling Crafted Attribute Sanitization Filter Bypass http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-1082 Mozilla Multiple Products XML Document XMLDocument.cloneNode() Function Arbitrary Script Code Execution http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-0415 : On a positive note, Microsoft is seeing the amount of publicly : exploitable code, at least for its own software, shrink. But Arsenault : does sweat over whether there.s really less exploitable code, or : whether it.s more a case of such code just being kept secret by nation : states looking to wage cyberwar. See above. There is a serious financial value to working exploit code for such vulnerabilities. Even the most public pay-for-vuln shops like iDefense and TippingPoint/ZDI will pay *tens of thousands of dollars* for Microsoft Windows exploit code. ___________________________________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Sun Mar 30 2008 - 22:36:09 PST