I am delighted to present the Laws 2.0 research at Black Hat and with new data that compares the progress of patching across multiple critical industries. The focus on this talk will be on zero-days vulnerabilities and how organizations deal with them. I will discuss this topic with a panel of leading CISOs and security experts that includes Richard Bejtlich from General Electric, Ed Bellis from Orbitz, Paul Griffiths from Goldman Sachs, Kris Herrin from Heartland Payment Systems and Mark Weatherford from the State of CA. Please join us if you are attending Black Hat USA 2009. I am personally looking forward to the event and participating in all the Black Hat discussions and festivities. More details about this talk here.
Microsoft released advisory KB972890 yesterday for a zero-day vulnerability found by ISS, warning of an attack on an ActiveX control for Microsoft Video. The main attack vector is for the user to browse a website that has the exploit installed with Internet Explorer- further interaction is not necessary, the attack is of the type called "drive-by". This makes the attack very dangerous as there is very little that Internet Explorer users can do to defend themselves. Security news here and here report that thousands of websites have started serving the exploits already, which is supported by the in-depth information that we are getting from our iDefense feed which has a long list of sites that are serving the exploits.
The described work arounds involve disabling 40+ classids in the registry, which should be scriptable by IT administrators. The Microsoft support website has a FixIt link which individual users can use to apply those changes to the registry.
QualysGuard detects this zero-day vulnerability as QID 90510, but does not raise it if you have the described workaround applied. We will be enhancing the detection as more information about workarounds and patches becomes available.
How do you deal with ActiveX controls, do you disable them in your default builds ? Let me know by sending feedback. We also will discuss this issue on our upcoming panel at the Black Hat security conference in Las Vegas with the present industry experts.
Microsoft’s May Security Bulletin contains a single advisory for PowerPoint in Microsoft Office (MS09-017). It addresses 14 distinct vulnerabilities, including the 0-day vulnerability that was identified in the beginning of April 2009. While the vulnerabilities rank only as important on most versions of Microsoft Office, they all categorized as "remote code execution" and have a low exploitability index, meaning exploits are relatively easy to write and can be expected to be used soon in attacks.
One of the mentioned workarounds for CVE-2009-0556 , the 0-day vulnerability patched in this advisory is installing MOICE (KB937696). MOICE stands for "Microsoft Office Isolated Conversion Environment," a toolset that sanitizes Office documents when opened through browsing and email by removing potentially dangerous code. It has been available since May 2007 and is cited as a work-around in eight of Microsoft’s 78 advisories in 2008. MOICE is an interesting tool, used to reduce the risk produced by the increasing number of file format vulnerabilities. Its limitation is that it only works with Office 2003 and 2007; Office 2000 and Office XP are not supported.
In addition to the Microsoft patches both Adobe and Apple released their equivalent of "Patch Tuesday" advisories. Adobe fixed a recent critical 0-day vulnerability in their Acrobat and Reader product lines. Compared to their February patch for a known 0-day, this time around they reacted much faster and published patches for Windows, Mac OS X and Unix simultaneously. Adobe software is widely installed and according to statistics from F-Secure PDF based file exploits are on the rise – 49% for the first 4 months of 2009 compared to 28% in 2008.
File format vulnerabilities of this kind represent a significant attack vector, but they continue to be neglected by IT administrators. Our ongoing analysis of the previous Adobe vulnerability APSA09-01 (released February 2009, patch available on March 10 as shown by the red line in the graph) shows no significant reduction in the number of exploitable machines.
If this trend continues to persist for the Adobe Reader vulnerabilities, which it has in all 2008 and as demonstrated in Laws 2.0, attackers don’t need to rush anymore, they can take their time in figuring out the best way to get an infected PDF file into their victims.
Today we declared at the RSA Conference the new Laws of Vulnerabilities 2.0 with focus on 5 critical industry segments. The findings are very interesting and the research shows that most industries are still slow in their patching and remediation efforts. Summary of the new Laws:
Half-Life–The half-life of critical vulnerabilities remained at 30 days across all industries. Comparing individual industries, the Service industry has the shortest half-life of 21 days, Finance ranked second with 23 days, Retail ranked third with 24 days and Manufacturing ranked last with a vulnerability half-life of 51 days.
Prevalence–Sixty percent of the most prevalent and critical vulnerabilities are being replaced by new vulnerabilities on an annual basis.
Persistence–The Laws 2.0 declared that the lifespan of most, if not all vulnerabilities is unlimited and a large percentage of vulnerabilities are never fully fixed.
Exploitation–Eighty percent of vulnerability exploits are now available within single digit days after the vulnerability’s public release.
Microsoft’s Security bulletin for April brought a total of 8 advisories covering 23 (21 distinct, 2 are covered in multiple advisories) vulnerabilities in Windows and Office. The most interesting part of the bulletin is the elevated number of vulnerabilities that have known exploits. 6 vulnerabilities have already been used by attackers and 4 have a proof of concept or attack plan published. For IT administrators this means that their window to patch is rapidly shrinking, when before weeks were an acceptable timeframe, now days seems more adequate.
The most urgent patches to apply are the advisories that have working exploits – MS09-009 for Office/Excel, MS09-010 for Windows/Office and MS09-012 for Windows. Microsoft’s Internet Explorer cumulative patch MS09-014 has proof of concept code available for at least one its covered vulnerabilities and thus has a high exploitability index of 1 (consistent exploit code likely). All, but MS09-012 are rated as critical on all of Microsoft’s operating systems, meaning that the attacker can gain complete control over the affected systems and apply even to Microsoft newer OS versions such as Vista and Server 2008.
Users who have updated already to Internet Explorer 8 are not affected by MS09-014, another indicator of the significant amount of work Microsoft has invested into this new browser and an incentive to move towards that version of IE as quickly as possible.
The vulnerability addressed by MS09-016 is the only one that is remotely exploitable. It affects Microsoft’s ISA product used in securing and proxying companies' internet connections. As it is limited to a denial of service condition it was rated as Important. Further its exploitability index has the lowest value of 3 (Functioning exploit code unlikely), meaning that it is difficult to write a successful and consistent exploit
Yesterday started great, the weather was excellent, looked like a continuation of a calm weekend – then Dan Kaminsky called…
Researchers in Germany had come up with a way to remotely detect the Conficker worm. His idea was to get that knowledge out to as many scanner vendors as possible and see if we could implement the check ASAP. This new detection method allows IT administrators to remotely detect the Conficker virus directly on the infected machines without needing credentials or an agent installed. For many large enterprises, this represents an opportunity to perform a quick and non-intrusive audit of their patching efforts. We quickly assembled a team to take a look at the code that Felix Leder and Tillman Werner from the University of Bonn had made available in Python and saw no problem in implementing the detection in the QualysGuard scanner. After finishing the development proof-of-concept, we started formalizing the project, creating the necessary branches in our source code system, checking in the new code and started a new build and acceptance testing cycle. Late on Sunday QA had a production grade package that could be used for basic functional testing and then put it through our nightly regression testing cycle. After reviewing the regression results earlier today we released the code to our production systems around 3PM PDT. Qualys press release.
Thanks to Rich Mogull and Dan Kaminsky for bringing this to us. Many Thanks also to Felix and Tillman, excellent work, looking forward to reading your paper on the subject when I regain my breath. Also, special thanks for David Watson and Jose Nasario who helped us by providing Conficker samples for testing.
Qualys estimates that about 30 percent of Windows-based computers remain vulnerable to infection because they have not been updated with the patch.
In December 2008, Qualys' customers performed scans on over 9 Million IP addresses. There is some duplication as some customers scan multiple times in a given month, but the majority of customers are on a 30 day cycle in their scan schedules. The majority of these scans are against Windows machines as they are the most prevalent in our customers' networks. It is safe to say that data is based on Millions of IP addresses scanned.
What class of virus is it and have you seen something like it before?
This worm is a sophisticated piece of software, beyond exploiting MS08-067 it uses a number of other techniques to propagate, i.e. network shares and removable media such as USB thumb drives. It has a variety of interesting mechanisms to trick the user into executing it, such as changing the icon and message in the autorun dialog. It also uses an innovative way to assure that its control channel, where it receives its commands from, is not shutdown. It contacts a large number of dynamically named URLs for commands, making it harder to shut down the worm down. It is definitely a intelligently designed worm, demonstrating that worm writers are constantly innovating to keep their business moving.
Why is it so pervasive when the vector was supposedly patched by Microsoft?
Our scanning data indicates that many machines are not patched yet, even 2 months after the release of the patch by MSFT. We derive our numbers from enterprise customers and SMB, but in areas where non-licensed machines are in use the ratio of unpatched machines must significantly higher due to the difficulty of getting and installing patches and the fear of detection.
Is the security community responding fast enough to the threat?
The security community is doing excellent work around that vulnerability and the exploiting worm. But overall IT is not reacting fast enough, as our data reveals and as can be seen by the extent of the damage that the worm is doing. Patch cycles have to be accelerated. Machines that require longer patch cycles (due to their criticality) need to have additional security settings and/or technologies installed that can help mitigate the effects.
In general, we suggest providing general comments to the above questions hinting towards the patching data only to substantiate your claims since the last comments we provided him were very data specific.