Like most people who enjoy the benefits of drinking from the "Marketing cup" that include nice dinners and traveling to various trade-shows, I know this largesse comes with a price tag. One of the I.O.U.s I am obliged to complete is an end-of-year retrospective. Having done this for a few years, I wanted to get away from a high-level “things were bad but we’re all still here… hopefully we (well, not 'we', as we are perfect, but admins, web developers etc) all learned a valuable lesson and next year will be wonderful/better” type post. Instead, last week as I was reviewing the patch Tuesday pre-release notice from Microsoft (for the 12thtime this year), I thought of all the energy that this patch Tuesday, and the preceding Thursday creates around the (cyber) world. In one area we have a group of security researchers who want to understand the issue that is being patched. Then there is a large group of administrators who want to get a feel for how bad the next week is going to be, and how many machines they are going to have to schedule reboots for. And let's not forget there are security vendors looking to either produce signatures or code to tell you which patch appears to be missing. And lastly, our Exploit Writing Team, that will identify what is being patched and determine if it can be exploited –because if it can, they will code and QA it and turn it into one of the hundreds of commercial grade exploits we release each year. The first law of thermodynamics states (roughly) that energy cannot be created or destroyed, so what happens to this energy every month? That got me thinking and I tried to understand where this energy went; in the end it went to four places:
1) A large portion of the energy went to scheduling change control tickets and maintenance windows for servers
2) A lesser (but still significant) portion went to the act of testing patches, patching and rebooting production machines and validating everything works as expected.
3) A heated portion of this energy was shared by helpdesk and users in the networks. Users complained that every lost document/idea/issue was caused by the forced reboot their desktop performed at the most inconvenient time. Helpdesks bear the brunt of this and dissipate that energy through toys, drinks or after work rants…
4) A portion of the announced vulnerabilities absorb a lot of the energy, as they are nurtured into exploits and cause some level of havoc or consternation for folks in the IT world.
It is this last point that really got me thinking – which of those announced vulnerabilities were the shooting stars of security risks? So I decided to put in some time and provide my opinion on which were the most interesting vulnerabilities announced on patch Tuesdays during the course of 2012… Based on my count there were 83 vulnerabilities announced by Microsoft during the course of 2012 – while that averages out to a little over 6 a month it is still reasonable number of patches (and reboots) to apply to your systems in the course of a year. While I think the Microsoft severity rating system of Critical/Important etc is quite good, I try as a rule to avoid allowing myself to be biased by those ranks – any vulnerability that helps me learn more about a target network or gain a foothold I can leverage is a serious one. What I thought about was the ways we are seeing real attackers gain access to real data and how these vulnerabilities would he leveraged by the bad guys. Rather than speculate, I am basing scenarios on the recent breach of the South Carolina Department of Revenue – they have posted the Incident Response report publically, and it is a great teaching tool for us all. If you have not read the report (and I highly recommend that you do) it can summarized like so: An attacker used a phishing attack to compromise a user’s machine and grab credentials, the attacker then used those credentials to access other machines, which he/she then also mined for credentials and reused. During the course of this he/she used malicious software to further cement their access. We see that again and again, targeted emails or drive-by downloads give the attacker initial access. Privilege escalation exploits give them full control on a system and a great beach-head to further move around the internal networks of the target environment. Those are the desired abilities of a professional bad guy, and reported vulnerabilities that allow for that are their bread and butter. So first off we need that initial entry point – some juicy client side attacks. We might only get one shot at these so we want our attack to work in as many environments as possible. When you look at the bulletins for the last 12 months there are a few great ones: MS12-027 - Vulnerability in Windows Common Controls Could Allow Remote Code Execution (published April) A vulnerability in Office 2003, 2007 and 2010 (plus SQL, but it is the fact that it effects Office that is most exciting). That is a great spread of MS Office versions, you could argue that it is only people who don’t run MS Office that are not targets. You can imagine crafting a word document with this vulnerability built in, the classic email claiming the word document attached contains information about changes to the company benefits plan would have a lot of people opening the document (swap out the word ‘reductions’ for changes and almost everyone would open it). MS12-037 - Cumulative Security Update for Internet Explorer (published June) Let’s face it, who doesn’t like the smell of unpatched IE in the morning? This was update that covered a multitude of issues, including one that was publically known. It was rated as critical for IE 6, 7, 8 and 9 on windows clients – otherwise known as ‘every machine in your userland…’ I no longer need you to open a file (on the off chance that your users have learned not to open attachments) but just click on a link. Now we are just talking a fake amazon gift certificate email as a thanks for ‘all your hard work in these tough times’ or for the holiday season and I will have people clicking and giving me access to their systems. MS12-060 - Vulnerability in Windows Common Controls Could Allow Remote Code Execution (published August) Déjà vu all over again… A vulnerability in Office 2003, 2007 and 2010 (32bit) allows an attacker to execute code remotely… So if you think your target organization has patched for MS12-027 then recycle that attachment with this brand new exploit! OK, so we are on the machine… but it is just some user down in the basement with no access to anything I need to take full control of their machine (and maybe their stapler), as the first step in trying to get full control of the network. We need to leverage some local vulnerabilities on the machine to get SYSTEM level access on the machine. MS12-047 - Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (published July) Well, I am not sure about the word ‘could’ in the vulnerability title, they definitively DO allow for elevation of privilege as we demonstrated when we responsibly disclosed this issue to Microsoft and then when we released a module for it to our customers. Go from user to full control quickly on most windows platforms in one quick move. MS12-042 - Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (published June) Ranked as ‘Important’ (not critical like all the others) this can still allow you to get the control we need of a lot of windows desktops. But there is one vulnerability that did not make the list – which in my mind produced the most amount of energy (and speculation, tweets and conspiracy theories of leaked code etc.) of all of them: MS12-020 - Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (published March) This vulnerability caused the big race, who could produce a working remote code execution vulnerability for this first? We had multiple members of our professional in-house Exploit Writing Team focused on this bug and we saw others without our level of in-house expertise offering cash bounties for exploits – the twittersphere blew up with speculation that the POC provided to Microsoft might have made its way overseas. We were the first to release a Denial of Server attack for this vulnerability, but we could not take it to the next step where we could control the crash and execute our code on the system. However I am sure all who were involved would agree the energy was fantastic! I wanted to look outside my own experience and use some other resources to better understand the urgency around the patches listed above. I contacted my friend Adam Compton the creator and maintainer of www.exploitsearch.net (an index of exploits) and asked him about the amount of search activity he has seen for each of the vulnerabilities I have listed above. Now, it is December 11 and this is the eggnog season, so I didn’t bother doing any kind of compensation for the fact that these vulns were released at different points during the year. But Adam’s numbers showed that the total combined searches for all the vulnerabilities was 1,048 – but it was the breakdown that was amazing:
|Vuln||% of searches|
Let’s face it, as Adam said to me everyone is looking for the next MS08-067… and it looks like most of us were hoping that MS12-020 would be the one… What does this mean for vulnerabilities present and future? (Admit it, you thought I wasn’t going to be able to tie the title in…) It means for vulnerability present the Exchange (another Internet-facing service) related vulnerability will generate a lot of interest, could we get a MS08-067 this year after-all? – and for vulnerability future, it is going to be the vulnerabilities that look like they could become network exploits that could lead exploit writers to think it is Christmas every day.