Forwarded from: security curmudgeon <jericho (at) attrition.org>
: http://www.networkworld.com/news/2008/032608-microsoft-security-concerns.html
:
: By Bob Brown
[..]
: Speaking at the Boston SecureWorld conference Wednesday, the 19-year
: Microsoft veteran whose job includes protecting enterprises,
: developers and Microsoft itself said there actually is plenty of good
: news on the security front. For example, his outfit scans a half
: million devices (with customer permission) per month and in the first
: half of last year saw the first period-over-period decline in new
: vulnerabilities disclosed across Microsoft and non-Microsoft software
: since 2003.
:
: However, 3,400 new vulnerabilities were discovered and "it's still a
: big number," Arsenault says. .So if vulnerability rates are down,
: where are they?.
Oh where to begin..
The drop in vulnerabilities disclosed in 2007 seems to be a 'fact' that
many journalists and some industry denizens latched on to at some point
over the last few months. As with many statistics/metrics, once boiled
down to a soundbyte they lose a lot of the caveats, disclaimers and
warnings.
The number '3400' likely comes from CVE/NVD which is a specialized
vulnerability database (VDB) designed to assign a tracking number and
standard naming scheme to vulnerabilities. In doing so, CVE will merge
multiple vulnerabilities into a single entry if the vulnerability is
essentially the same (10 scripts all vulnerable to RFI) or if there is
no actionable information due to a vague disclosure (10 Oracle vulns).
Even though one CVE may have as many as 80 or more distinct
vulnerabilities, they get counted as *1* vulnerability by many people
using CVE as their source for vulnerability disclosure metrics.
What happens when you take the 3,400 from CVE and expand it to account
for the above, and then throw in vulnerabilities that they did not
catalog due to a lack of resources? At least 8,252 in 2007 that I know
of. Yes, that is 'down' from the previous year (10,553) but still
doesn't consider changes in the vulnerability disclosure world. The
value of working 0-day has gone up and the incentive to disclose is
going down. In addition to financial value of such information, the
threat of lawsuit from vendors, the trends in disclosure (it's no longer
"RFI year") and the resources assigned to track all of this, there are a
lot more factors that must be considered before throwing such numbers
out. To do so is irresponsible and misleading at best.
Next, Arsenault slips up even worse by saying "3,400 new vulnerabilities
were DISCOVERED" which is just blatantly false. We know vulnerabilities
are discovered and not disclosed. Sometimes they are used for the
dreaded "0-day", sometimes they are quietly fixed by the vendor. Either
way, the number of vulnerabilities in any VDB is not a reflection on
what was discovered, just what was disclosed in specific forums.
: One trend that pops out is that attackers are increasingly laying off
: operating systems and exploiting applications instead. One reason for
: this, Arsenault says, is that vendors like Microsoft, Apple and RedHat
: have done a good job in recent years securing the IP stack and
: operating system.
Or one may argue that increasingly, these operating systems and TCP/IP
stacks sit behind cheap routers provided with broadband access. You can
no longer remotely pop a Windows box as easy as you could years ago
simply because you can't pass traffic directly to it.
Since the applications are originating the connection outbound, the
router is happily passing traffic back to it per the user's request. The
exploit vector is much more likely to work. Even better, that fancy
browser based bug may be cross-platform!
: "This is not a problem that people should be thinking is just an
: Office problem," he said. "It's anybody who uses file formats that are
: not XML based going forward." Adobe, Corel and Google are among others
: facing similar challenges, Arsenault said.
Uh, is Arsenault implying that using XML is somehow safe from file
handling vulnerabilities?
Apple Mac OS X Foundation NSXML XML File Handling Arbitrary Code
Execution - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-0059
Opera XML Document Handling Crafted Attribute Sanitization Filter Bypass
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-1082
Mozilla Multiple Products XML Document XMLDocument.cloneNode() Function
Arbitrary Script Code Execution
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-0415
: On a positive note, Microsoft is seeing the amount of publicly
: exploitable code, at least for its own software, shrink. But Arsenault
: does sweat over whether there.s really less exploitable code, or
: whether it.s more a case of such code just being kept secret by nation
: states looking to wage cyberwar.
See above. There is a serious financial value to working exploit code
for such vulnerabilities. Even the most public pay-for-vuln shops like
iDefense and TippingPoint/ZDI will pay *tens of thousands of dollars*
for Microsoft Windows exploit code.
___________________________________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
