Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Trends
Exploring the impact of software mitigations on patterns of vulnerability exploitation
Authors
Swamy Shivaganga Nagaraju Microsoft Security Response Center
Cristian Craioveanu Microsoft Security Response Center
Elia Florio Microsoft Security Response Center
Matt Miller Microsoft Security Engineering Center
Table of contents
Foreword .......................................................................................................................................................... 3
Introduction .................................................................................................................................................... 4
Exploitation trends ........................................................................................................................................ 5
Improvements in Windows 8 .................................................................................................................... 13
Recommendations ...................................................................................................................................... 17
References ..................................................................................................................................................... 18
Appendix: Data Sources and Glossary ................................................................................................... 19
Foreword
Using security science to create more secure products and services
The Microsoft Security Engineering Center carries out some of the software industrys most advanced security science research.
Leveraging insights we glean from the Microsoft Security Response Center, the team examines new techniques that are used to
attack Microsoft products and services and third-party applications running on Microsoft platforms. They use this
understanding on how the attacks succeed to design countermeasures to defeat them.
The output of this research feeds back into the Microsoft Security Development Lifecycle, a mandatory part of the
development process that every Microsoft product or service must implement. The result is that each new version of an
operating system, browser or application is harder to attack than previous versions, making it more difficult and costly for
criminals to develop malicious attacks. The more expensive it is to develop an attack, the less likely it is that the attack will be
created and used.
This whitepaper examines the effectiveness of this approach. The paper analyzes software vulnerabilities addressed through
Microsoft security updates that were exploited, and provides recommendations that can help to minimize risk of attack. Two
findings are clear first, the innovations introduced by security science have forced attackers to change the attack methods
they use, often requiring the development of more expensive multi-stage attacks. Second, new attacks continue to be
developed for older, less secure versions of products and services.
A special note to those still running Windows XP - the paper also examines the security features in Windows XP Service Pack 3
and compares them with the features in Windows 8, our most secure operating system to date. Only a quarter of Windows 8
protections are available in any form in Windows XP Service Pack 3. This means that the attack techniques that have been
developed in the ensuing eight years can still be deployed against Windows XP, even though those techniques are mitigated
by the updated security features in Windows 8. Running Windows XP on network-connected systems carries additional risk; the
fact that Windows XP will no longer be supported at all after April 8, 2014 means that this risk will only increase over time.
The Microsoft Security Engineering Center continues their work examining new attack techniques as they are developed, which
will ensure the security of Microsoft products and services keeps pace with ever-improving attack techniques.
Matt Thomlinson
General Manager
Microsoft Trustworthy Computing Security
Introduction
One of the security challenges that both individuals and
organizations face is gauging the risks that are associated with
vulnerabilities in the operating systems and applications that they
use. Although such vulnerabilities always have some level of
potential risk, this risk only becomes actualized when an attacker
develops a functioning exploit. The existence of an exploit is what
allows a malicious attacker to take advantage of a vulnerability
and potentially compromise affected computers. From a risk
management perspective, the likelihood of an exploit being
developed can be an important factor in providing a more
precise estimation of a vulnerabilitys actual risk. To this point,
Microsoft security updates always include a description of a
vulnerabilitys expected worst-case impact and, beginning in
2008, an Exploitability Index1 (XI) rating that measures the
likelihood of a vulnerability actually being exploited.
http://technet.microsoft.com/en-us/security/cc998259.aspx
www.microsoft.com/enus/download/details.aspx?id=26788
2
Exploitation trends
This section explores historical
exploitation trends for Microsoft
vulnerabilities that have been
addressed through security updates
within the past seven years (2006
2012). Evidence about which
vulnerabilities have been exploited was
gathered from public and private
reports as well as Microsoft
antimalware telemetry feeds. Although
this data is believed to be thorough
and complete, it is possible that
KEY FINDINGS
The key findings that were made through this analysis of historical exploitation trends are:
The number of RCE vulnerabilities that are known to be exploited per year appears to be decreasing.
Vulnerabilities are most often exploited only after a security update is available, although recent years have shown an upward
trend in the percentage of vulnerabilities that are exploited before a security update is available.
Stack corruption vulnerabilities were historically the most commonly exploited vulnerability class, but now they are rarely
exploited.
Use after free vulnerabilities are currently the most commonly exploited vulnerability class.
Exploits increasingly rely on techniques that can be used to bypass the Data Execution Prevention (DEP) and Address Space
Layout Randomization (ASLR).
Scale
To help set the context for assessing exploitation trends, it is
helpful to start by considering the scale at which vulnerabilities
are actually known to have been exploited.
The following figure represents the number of common
vulnerabilities and exposures (CVEs) that were classified as RCE
CVEs over the last seven years. This data shows that
100%
90%
80%
70%
60%
50%
40%
30%
20%
10%
0%
2006
2007
2008
2009
2010
2011
2012
Known exploit
28
21
21
33
66
49
27
No known exploit
66
78
94
94
113
70
75
Figure 1. CVEs that were exploited and resolved through security updates
100%
90%
80%
70%
60%
50%
40%
30%
20%
10%
0%
2006
2007
2008
2009
2010
2011
2012
16
12
11
14
16
12
12
16
22
52
33
15
Figure 2. Percentages of CVEs that were exploited before vs. after security updates were available
Targets
The product versions that are affected by a vulnerability are what
define the set of at-risk targets that an attacker could attempt to
exploit. In practice, exploits often target only a small subset of the
affected product versions, for multiple reasons; one key factor is
that the runtime environment of an application tends to be
different between product versions. These differences can make it
difficult to build an exploit that functions and is reliable against
the complete set of potential targets. Accordingly, exploit writers
typically target affected versions that are seen as high yield, such
as those versions that are used by the largest portions of the
population.
Of the exploit data that was analyzed, only 34% of the CVEs had
at least one exploit for which the intended targets were known.
The following figure shows the versions of Windows that were
targeted for this subset. Notably, a downward trend is evident
over the last seven years in the number of exploits that targeted
Windows 2000, which no longer appeared as a target in 2012.
The number of exploits that targeted Windows XP and Windows
Vista has also begun trending downward in the past three years,
which corresponds to the increase in exploits that target
Windows 7.
CVEs
15
13
11
9
7
5
3
1
-1
2006
2007
2008
2009
2010
2011
2012
Windows 2000
14
Windows XP
14
11
13
Windows Vista
Windows 7
Figure 3. The number of CVEs for which exploits were written that targeted specific Windows versions
8
7
6
CVEs
5
4
3
2
1
0
2006
2007
2008
2009
2010
2011
2012
Internet Explorer 6
Internet Explorer 7
Internet Explorer 8
Internet Explorer 9
Figure 4. The number of CVEs for which exploits were written that targeted specific Internet Explorer versions
Vulnerabilities
The root cause of a vulnerability plays a key role in defining the
set of exploitation techniques that an attacker can use when
developing an exploit. As a result, the level of difficulty in
developing an exploit is heavily dependent on the type of
vulnerability that is being exploited. In terms of risk management,
the root cause of a vulnerability can be an important factor in
influencing the likelihood that an exploit will be developed. As
the following two figures illustrate, there have been some
noteworthy shifts in the classes of vulnerabilities that are known
to have been exploited.
The first clear shift can be seen through the decline in the
percentage of exploits for stack corruption vulnerabilities, such as
stack-based buffer overruns. (See the Glossary section at the
end of this paper for a definition of stack corruption
vulnerabilities.) This vulnerability class has historically been the
most likely to be exploited, but since 2009 it has been steadily
100%
90%
80%
70%
60%
50%
40%
30%
20%
10%
0%
2006
2007
2008
2009
2010
2011
Stack Corruption
Heap Corruption
Type Confusion
Command Execution
Uninitialized Use
Invalid Free
Memory Read
Other
XSS
Cryptography
2012
100%
90%
80%
70%
60%
50%
40%
30%
20%
10%
0%
Windows 2000
Windows XP
Windows Vista
Windows 7
Stack Corruption
Heap Corruption
Command Execution
Type Confusion
XSS
Uninitialized Use
Invalid Free
Other
Figure 6. The distribution of CVE vulnerability classes for which exploits were written
that targeted specific versions of Windows over the past seven years
Techniques
Attackers have developed a variety of exploitation techniques
over time that can potentially enable them to exploit
vulnerabilities under differing circumstances. These techniques
encompass the fundamental methods of leveraging a particular
class of vulnerability as a means of running malicious code. In
recent years, additional techniques have been identified for
bypassing exploit mitigations such as DEP and ASLR under
certain conditions. From a risk management perspective, the
ability for an attacker to employ certain exploitation techniques
8
7
6
CVEs
5
4
3
2
1
0
2006
2007
2008
2009
2010
2011
2012
Heap Spray
14
12
CVEs
10
8
6
4
2
0
2006
2007
2008
Mitigated by DEP
2009
2010
2011
2012
Bypassed DEP
Figure 8. The number of CVEs for which exploits were written that could have been mitigated by
enabling DEP as compared to the number of CVEs that had exploits that bypassed DEP
Improvements in Windows 8
Windows 8 contains numerous security
improvements that are specifically
designed to increase the cost and
complexity of exploiting vulnerabilities.
This section highlights some of the
security improvements in Windows 8
by showing the impact they are
designed to have on current trends in
vulnerability exploitation.
Enhanced /GS
Stack corruption vulnerabilities are rarely exploited in Microsoft
products today, thanks in part to the /GS stack buffer overrun
protection and SafeSEH features of the Microsoft Visual C++
compiler. Despite this positive trend, there have still been cases
during the past seven years in which stack corruption
vulnerabilities were successfully exploited. In Visual C++ 2010,
the heuristics that /GS uses when deciding whether to enable
protection for a function were extended to cover a broader set of
cases. For example, the new heuristics now protect functions that
have a plain old data structure (POD) of a certain size or that have
a fixed-size local array of a non-pointer type. These enhanced
heuristics provide protection for past vulnerabilities that were not
previously protected by /GS. Because Windows 8 has been built
with these enhancements to /GS, it will be even more difficult for
attackers to develop an exploit for stack corruption vulnerabilities
that may exist in Windows 8.
Heap hardening
Heap corruption vulnerabilities are one of the most commonly
exploited vulnerability classes. In most cases, attackers attempt to
exploit these vulnerabilities by corrupting the state of application
data that is stored on an applications heap. For example, an
attacker might use a heap buffer overrun to corrupt the virtual
table of a C++ object that is later called through, which would
allow them to take control of program execution.
Force ASLR
Windows 8
Internet Explorer 10
No
Yes
No
Yes
No
Yes
No
Yes
Limited
Extensive
Stack randomization
No
Yes
Heap randomization
No
Yes
Image randomization
No
Yes
No
Yes
Bottom-up randomization
No
Yes
Top-down randomization
No
Yes
No
Yes
PEB/TEB randomization
Yes
Yes
Limited
Extensive
Header encoding
No
Yes
Terminate on corruption
No
Yes
Guard pages
No
Yes
Allocation randomization
No
Yes
Safe unlinking
Yes
Yes
Header checksums
Yes
Yes
Yes
Yes
No
Yes
Yes
Yes
SEHOP
Protected Mode
Enhanced Protected Mode (EPM)
Virtual Table Guard
ASLR
Heap hardening
/GS
Enhanced /GS
SafeSEH
11.3
10.0
8.0
6.0
4.6
4.8
3.7
3.5
4.0
4.5
4
3.3
2.5
2.0
Too
little
data
0.0
32-bit
64-bit
Too
little
data
0.8
0.2
32-bit
64-bit
32-bit
64-bit
32-bit
64-bit
32-bit
64-bit
Windows 8 RTM
32-bit
64-bit
Too
little
data
32-bit
64-bit
Figure 9. Infection rate (CCM) by operating system and service pack in the fourth quarter of 2012
Recommendations
The likelihood that a vulnerability will
be successfully exploited depends on
many factors, including the type of
vulnerability being exploited, the
product versions being targeted, an
attackers ability to make use of the
necessary exploitation techniques, and
the amount of time required to build a
reliable exploit. The following
recommendations show how these
factors can be influenced to help
reduce the likelihood of exploitation
and thereby minimize risk.
References
Microsoft Exploitability Index
http://technet.microsoft.com/en-us/security/cc998259.aspx
Mitigating Software Vulnerabilities
http://www.microsoft.com/en-us/download/details.aspx?id=26788
The Enhanced Mitigation Experience Toolkit
http://www.microsoft.com/emet
Glossary
ASLR. An acronym for address space layout randomization, a
platform security feature that randomizes the location of code
and data in the address space of a process. The first version of
Microsoft Windows to support ASLR was Windows Vista in 2007.
DEP. An acronym for Data Execution Prevention, a platform
security feature that prevents data from being executed as code.