All Posts

90 posts

Laws 2.0 Declared

Today we declared at the RSA Conference the new Laws of Vulnerabilities 2.0 with focus on 5 critical industry segments. The findings are very interesting and the research shows that most industries are still slow in their patching and remediation efforts. Summary of the new Laws:

Half-Life–The half-life of critical vulnerabilities remained at 30 days across all industries. Comparing individual industries, the Service industry has the shortest half-life of 21 days, Finance ranked second with 23 days, Retail ranked third with 24 days and Manufacturing ranked last with a vulnerability half-life of 51 days.

Prevalence–Sixty percent of the most prevalent and critical vulnerabilities are being replaced by new vulnerabilities on an annual basis.

Persistence–The Laws 2.0 declared that the lifespan of most, if not all vulnerabilities is unlimited and a large percentage of vulnerabilities are never fully fixed.

Exploitation–Eighty percent of vulnerability exploits are now available within single digit days after the vulnerability’s public release.

Full findings are included in the PDF on the side.
Link to Press Release.

Microsoft Patch Tuesday Bottomline – April 2009

Microsoft’s Security bulletin for April brought a total of 8 advisories covering 23 (21 distinct, 2 are covered in multiple advisories) vulnerabilities in Windows and Office. The most interesting part of the bulletin is the elevated number of vulnerabilities that have known exploits. 6 vulnerabilities have already been used by attackers and 4 have a proof of concept or attack plan published. For IT administrators this means that their window to patch is rapidly shrinking, when before weeks were an acceptable timeframe, now days seems more adequate.

The most urgent patches to apply are the advisories that have working exploits – MS09-009 for Office/Excel, MS09-010 for Windows/Office and MS09-012 for Windows. Microsoft’s Internet Explorer cumulative patch MS09-014 has proof of concept code available for at least one its covered vulnerabilities and thus has a high exploitability index of 1 (consistent exploit code likely). All, but MS09-012 are rated as critical on all of Microsoft’s operating systems, meaning that the attacker can gain complete control over the affected systems and apply even to Microsoft newer OS versions such as Vista and Server 2008.

Users who have updated already to Internet Explorer 8 are not affected by MS09-014, another indicator of the significant amount of work Microsoft has invested into this new browser and an incentive to move towards that version of IE as quickly as possible.

The vulnerability addressed by MS09-016 is the only one that is remotely exploitable. It affects Microsoft’s ISA product used in securing and proxying companies' internet connections. As it is limited to a denial of service condition it was rated as Important. Further its exploitability index has the lowest value of 3 (Functioning exploit code unlikely), meaning that it is difficult to write a successful and consistent exploit


Taming of the Shrew aka Conficker…

Yesterday started great, the weather was excellent, looked like a continuation of a calm weekend – then Dan Kaminsky called…

Researchers in Germany had come up with a way to remotely detect the Conficker worm. His idea was to get that knowledge out to as many scanner vendors as possible and see if we could implement the check ASAP. This new detection method allows IT administrators to remotely detect the Conficker virus directly on the infected machines without needing credentials or an agent installed. For many large enterprises, this represents an opportunity to perform a quick and non-intrusive audit of their patching efforts. We quickly assembled a team to take a look at the code that Felix Leder and Tillman Werner from the University of Bonn had made available in Python and saw no problem in implementing the detection in the QualysGuard scanner. After finishing the development proof-of-concept, we started formalizing the project, creating the necessary branches in our source code system, checking in the new code and started a new build and acceptance testing cycle. Late on Sunday QA had a production grade package that could be used for basic functional testing and then put it through our nightly regression testing cycle. After reviewing the regression results earlier today we released the code to our production systems around 3PM PDT. Qualys press release.

Thanks to Rich Mogull and Dan Kaminsky for bringing this to us. Many Thanks also to Felix and Tillman, excellent work, looking forward to reading your paper on the subject when I regain my breath. Also, special thanks for David Watson and Jose Nasario who helped us by providing Conficker samples for testing.

Reference URLs:

Conficker Worm: 30% Still Infected

Qualys estimates that about 30 percent of Windows-based computers remain vulnerable to infection because they have not been updated with the patch.


In December 2008, Qualys' customers performed scans on over 9 Million IP addresses. There is some duplication as some customers scan multiple times in a given month, but the majority of customers are on a 30 day cycle in their scan schedules. The majority of these scans are against Windows machines as they are the most prevalent in our customers' networks. It is safe to say that data is based on Millions of IP addresses scanned.

Conficker Worm Explained

What class of virus is it and have you seen something like it before?
This worm is a sophisticated piece of software, beyond exploiting MS08-067 it uses a number of other techniques to propagate, i.e. network shares and removable media such as USB thumb drives. It has a variety of interesting mechanisms to trick the user into executing it, such as changing the icon and message in the autorun dialog. It also uses an innovative way to assure that its control channel, where it receives its commands from, is not shutdown. It contacts a large number of dynamically named URLs for commands, making it harder to shut down the worm down. It is definitely a intelligently designed worm, demonstrating that worm writers are constantly innovating to keep their business moving.
Why is it so pervasive when the vector was supposedly patched by Microsoft?
Our scanning data indicates that many machines are not patched yet, even 2 months after the release of the patch by MSFT. We derive our numbers from enterprise customers and SMB, but in areas where non-licensed machines are in use the ratio of unpatched machines must significantly higher due to the difficulty of getting and installing patches and the fear of detection.
Is the security community responding fast enough to the threat?
The security community is doing excellent work around that vulnerability and the exploiting worm. But overall IT is not reacting fast enough, as our data reveals and as can be seen by the extent of the damage that the worm is doing. Patch cycles have to be accelerated. Machines that require longer patch cycles (due to their criticality) need to have additional security settings and/or technologies installed that can help mitigate the effects.

In general, we suggest providing general comments to the above questions hinting towards the patching data only to substantiate your claims since the last comments we provided him were very data specific.

Analysis of Critical Microsoft Patches in the Second Half of 2008


During the year-end slowdown Qualys analyzed anonymous data captured by us during our global vulnerability scans. The analysis focuses on critical Microsoft patches published in the second half of 2008 to reduce the initial dataset.
Within the 20+ patches we can clearly see three distinct groups with different occurrence profiles:

  • The first group contains the major Windows operating system and Microsoft Office vulnerabilities, with Office being the clear leader with a frequency of up to 25 % more than Windows OS patches.
  • The second group are less frequently installed components in both Windows and Office, such as Office document filters (i.e. MS08-044) or VB runtime components (MS08-070) – they have less than 30% of the occurrence frequency of the first group.
  • At a distant third, we see vulnerabilities in specialized parts of the operating system – the SNA communications connector (MS08-059) and the Windows Media encoder (MS08-053). These make up less than 2% of the overall mix.
  • As a general trend, after about 30 days the majority of systems have the patches applied and the fix rate then slows down. This applies to all groups, even the comparatively low frequency group three follows this pattern of initial activity.
  • On a side note group three also contains the only vulnerability that was limited to Windows Vista – MS08-075 – giving us an indication of the low numbers of deployed Vista installations in enterprises.

Conficker Worm: Patching is Not Fast Enough

In our statistical data for MS08-067 we see it being patched at about the same rate as other critical patches. Over 50% of all machines are patched after approximately 30 days. After that period we see the patch rates go down and the overall number of machines that are attackable only slowly diminishing.  Unfortunately this leaves enough machines to be exploited by the "Conficker" worm types even today, over 45 days later.

We would have liked to see a faster reaction by the computer users given the significance of the patch but there still seems to be a barrier to reach everybody and make them understand the urgency of patching.

Patch Tuesday: December 08

This vulnerability in Microsoft SQL Server product is highly critical as it allows the attacker to remotely control the database and the underlying server. DBAs should immediately review the work-arounds provided in the advisory and implement them as soon as possible. MS SQL-Server is a highly popular product as we have seen in April of this year, when a SQL-Injection vulnerability that specifically targeted MS-SQL server driven websites was used to redirect users to websites serving malware. The effects of this attack are still out on the internet, as we can still see sites that have fallen victim to the attack and that have not been restored to an exploit free state.

The potential exists for leakage of private data and major disruptions in critical MS SQL driven applications, such as e-commerce and HR. On the positive side we believe that companies have aggressively firewalled off their MS SQL server from being accessible directly on the internet after the traumatic Slammer worm in 2003 which should provide some protection from direct attacks. However a smart attacker can easily pair this exploit with another attack mechanism such as phishing to get behind the corporate firewalls and then attack all accessible MS SQL server installations.

We expect that Microsoft is currently working on patch and will release it out of band. Differently from the recent release of the Internet Explorer patch the deployment will be slow. MS SQL is part of the core server infrastructure of many enterprise companies and is subject to lengthy patch and testing cycles and before any such fix can be deployed.

IE7 Exploit: MS Releases Out-of-Band Patch

As we expected Microsoft is releasing an out-of-band patch tomorrow 12/17 for a critical Internet Explorer 7 vulnerability. The browser flaw had been disclosed roughly one week ago as a zero day vulnerability and active exploits have been around the internet for that timeframe as well. The work-arounds provided by Microsoft were very technical and quite cumbersome to implement making it imperative for Microsoft to release a fix as quickly as possible.

Given the typical requirements for developing, testing and packaging the changes to a program as widely deployed as Internet Explorer we have seen one of the fastest turnarounds possible. Moving faster would require having specific mechanisms in the base code of the application allowing to push out changes in a less disruptive way and would require an extensive rewrite of Internet Explorer. Other browser providers have an edge here as they already have update mechanisms included in their products.

November 2008: MSFT Patch Release Trends


In the past month November, Microsoft released only 2 Security bulletins, both of critical severity. However in late October, MSFT released a fix for potentially very exploitable vulnerability (MS08-067 RPC Server) out-of-band, in itself already an indication of its high severity and its potential to develop into an aggressively replicating worm. We took a look at patching trends related to this publicized vulnerability.

Specifically, we monitored between 200,000 and 300,000 scans per day. The graph above shows the trends.

Customer Patching Trends
We have used our vulnerability statistics capabilities to track the evolution of the vulnerabilities to see how Microsoft customers apply these patches.

  • Unfortunately, no. The emergency patch (MS08-67) didn’t show erratic  reductions in occurrences of vulnerabilities and it appears customers were  patching at a normal rate.
  • However, for the last week we see a fairly rapid reduction in  vulnerability numbers indicating that after a large scale worm was announced  and confirmed (Trend Micro mentions over 500,000 machines infected, Symantec  mentions major activity in their honey nets), customers are stepping up their  patch activity.
  • Over the last month and a half we have seen the occurrence of MS08-067 drop from a high value of 8 to close to 2 this week, and overall 70%  reduction.

MS08-067, 68 and 69 Trends
PLEASE NOTE: The information below is based off normalized data, the Y-axis represents the number of vulnerabilities identified / total number of scans. The X -axis represents the dates. Normalizing the data was required in order to fairly represent the data in a graphical form. If you use the graphic, please attribute to Qualys.