Last week something very interesting happened in the IT world. Microsoft made a pledge to open up many of the of the APIs and communication protocols that are used in the Windows OS, SQL Server, Office file formats, Exchange, and others. If this holds true, it marks a big change in the way that they’ve protected their internal data, and that is going create a big stir throughout the IT industry. But, the stir is going to mean different things to different people.

For developers, creating software to interact with Microsoft products, this will provide an incredible source of information, and should lead to much greater interoperability in sharing data between various applications. Soon, there should be more realistic alternatives to the Microsoft giants of Office and Outlook, which are very good at what they do but are pretty heavyweight for a lot of smaller businesses. Samba (a Linux program that works with Windows File and Print Sharing) should also be able to keep current and be much more stable and Feature-rich now that they don’t have to guess/reverse the protocols.

But we are a security company and a security blog, so how does this affect security? Likely, it will affect it negatively in the immediate future. In the short term, the information about protocols and file formats will allow for much easier fuzzing, and there will be some interesting vulnerabilities found in previously unchecked codepaths. Which is great… as long as folks with malicious intents don’t find and exploit them before the good guys can create a fix. In the end though, more open access to this information will lead to more secure software and a better framework for tools to be developed in, but that doesn’t mean it might not be an interesting, if not bumpy year on the security front.

It has been a little while since my last blog post, 2007 was a busy year, and if this months security update from Microsoft is any indication then 2008 is going to be just as interesting.

There’s a few interesting things about this vulnerability from a technical perspective. Primarily, it’s a bug in the network stack of the operating system and bugs like these are extremely rare in mature software. The file affected, tcpip.sys, is among the most analyzed 352 kilobytes every coded. The bug has been written about in numerous blogs and whitepapers by now, so I won’t waste the time to repeat that here, but I’ll take the opportunity to plug one of my new favorite blogs, Microsoft Security Vulnerability Research and Defense. Their posts on this vulnerability are the first ones they’ve put out, but if they keep them coming out like this they’re going to be the first place I visit on Patch Tuesday. Microsoft has really turned around, from once being the “enemy” to many in the security field to now being an example for other vendors in the way they handle their entire development/patching programs.

While I’m plugging things, I’d also like to give a nod to the good people at Offensive Security for their Offensive Security Certified Professional certification. I had the opportunity to take the course late last year as part our teams continuing education goals, and I was very impressed with the quality of the materials and the staff. For a hands on, practical approach to learning how your systems are being attacked by the bad guys, this course cannot be beat.

Hope 2008 keeps you all (and your systems) happy and healthy.

Little Bobby Tables

via XKCD

The focus of hackers and bug hunters seems to be shifting these days. Vulnerabilities, occurring in widespread network services such as http, ftp and others, are becoming less common and are less exploitable because of better educated programmers, more sophisticated and more widely deployed network and host controls, and the increase in IPS devices at many locations. Because of this, both hackers and security researchers have moved up a level and are increasing their focus on client side (e.g., desktop, end user) vulnerabilities. Security administrators have learned how to adjust to threats coming from the outside by blocking unused ports and locking down the systems as much as possible. However, the everyday computer user still has to be able to do his job and that is why attackers are going after him.

Here at SecureWorks, the research team has seen a significant rise in the number of attacks targeting file format vulnerabilities. We blocked as many attacks of this type in the first four months of 2007 as we did in all of 2006. In the past, these types of attacks would have been disregarded and downplayed in the security community. But with programs such as Microsoft Office and QuickTime (e.g. CVE-2007-0515, CVE-2007-0714 being in such widespread use, exploiting client side vulnerabilities has become viable method of attack. Add to this is the number of vulnerabilities which directly affect Internet Explorer and Mozilla Firefox or allow attackers to use them as a medium to reach the targeted system, and we are looking at a very large percentage of the computers in use today. Simply receiving a Microsoft Office file in your inbox or downloading a video from a friend’s webpage can result in a full compromise of your system.

These types of attacks normally require some level of social engineering to trick the user into opening the file, but the user is often the weakest link in the security infrastructure. Spammers and hackers have had a lot of practice over the years learning how to get the response they are looking for from users, and attacking client side vulnerabilities lets them slip under the precautions that many users have learned to take. Security professionals have taught for a long time not to go to the shadier sites on the internet, not to run executables sent to you from questionable sources, and even to turn off macros in Office documents - but to not open a PowerPoint presentation, or view a video from the web? These precautions seem impractical to everyday users - my grandmother still does not believe anything malicious can come over email! However, these vulnerabilities are a clear threat and with the line between data and programs becoming increasingly blurred, we are required to change the way we use computers. Being secure demands a new and changing focus all the time, and it looks like these types of vulnerabilities are here to stay in one form or another for quite a while. The key to protecting against these types of attacks is clear and proactive policies, both in the technologies and with the users, and the education of these users.

This brings me to a side point that I’ll likely address more in a later post. We need to change the way we look at, rate, and prioritize vulnerabilities. CVSS is a good start, but as technologies become more integrated, we are going to need something where the categories are less black and white and more shades of grey. Many of the rating systems for vulnerabilities rely on local vs. remote as a large factor in determining the severity. These types of bugs do not quite fit into either of these, and we should all start looking at adding a “client side” category to give the rating more granularity and to make more sense in the real world. These vulnerabilities are more likely to affect organizations that have many users, and they present a much bigger threat than what is normally considered local.