The best exploits are old exploits

Image Credit: "Old school" from Clothesline - NZ Clothing and Design (BUY THE TSHIRT)Last week I had a really interesting meeting with one of the Security Advisors from Microsoft prior to the release of their Security Intelligence Report (SIR) – Volume 11.

While we were specifically discussing different things in this meeting, one of the side conversations came back to the issues surrounding legacy software and it’s ongoing support and there’s some really interesting numbers making up the latest analysis of exploits being leveraged against the systems Microsoft monitor in creating these reports.

While “zero-day” vulnerabilities are the things making the news (at least in the industry press), they accounted for less than 1% of malicious activity.

One of the more worrying stats for me was the leveraging of exploits where updates were available. Around 6% of incidents were exploiting issues for which a vendor had already released an update to fix. Further to this, 3.2% of the overall incidents were for issues resolved more than a year ago! The reality is, people are simply not updating their software and I’m really not sure where the problem sits.

Given the author of the study is Microsoft, it’s safe to assume that the measurements are against Windows based systems – these systems have had Operating System and Application updates built in to it’s default operation for many, many years now – however I still come across machines ‘in the wild’ with update indicators sitting right next to the system clock on the task bar, simply begging to be clicked so that the machine can be updated. The patches are set to download by default, they come from very well distributed file caches so the downloads are as fast as possible – so why are they not being applied? This phenomenon is not isolated to home PCs where the owner may not know why (or how) these patches should be applied, it’s also apparent in managed environments such as corporates and schools.

Before anyone starts to feel too comfortable because *you* have your operating system all up to date, it’s not just the base system which is under attack. Even as far back as 2009, these SIR reports were demonstrating that;

“Around 90 percent of vulnerabilities during the second half of last year were in applications…” – DarkReading / Microsoft SIR, April 2009

And that trend (though, perhaps not that percentage) continues today. In fact, it is the applications which users are loading on to their systems which are bringing with them the vulnerabilities from which the malicious are launching their attacks. We see this in the additional functionality vendors are inserting into base operating systems on phones, we see it in application software which destroys the myth that certain platforms are invulnerable. even to the point where helpdesk staff representing the company were specifically prohibited from assisting customers (a position they later reversed).

So – what does one do in the face of these threats? Do we rely on the background downloading and patching of our systems, or do we take an active stance in protecting our machines, choosing what and when to apply updates – just in case “something weird” happens?

But, gentle reader, the greatest threat to the integrity of your system is not it’s operating system, it it not the applications you have installed, it is something even harder to ‘update’, something that will not be ‘patched’ on a regular basis from a central source… the greatest threat, the threat responsible for almost 45% of the attacks analysed in this latest Microsoft SIR – is you and I. We of the “between the keyboard and the chair”, us of the “Layer 8 in the OSI model”, the wet-ware, the users. But trying to resolve that threat vector is fodder for perhaps another article at another time.