The Exploit That Didn't Happen
Is it becoming more difficult for hackers to exploit software vulnerabilities?
Every month, Microsoft issues its patch Tuesday update revealing security vulnerabilities large and small. Part of Microsoft's disclosure involves a metric known as the exploitability index. As it turns out, exploitability is not an exact science. Just because Microsoft and the security research community initially believe a vulnerability to be exploitable, that doesn't necessarily mean it will be exploited.
The general idea with the exploitability index is that it is intended to help provide enteprises with an indication of the likelyhood that a particular vulnerability can be exploited by an attacker. Knowing the exploitability of a given vulnerability helps enterprises measure risk and determine how important it is to patch.
Looking back at the vulnerabilities that were disclosed in 2011, there was at least one case where researchers had expected an exploit to appear in the wild, but none actually emerged. During a recent Black Hat live web event, Tom Cross, manager of IBM's X-Force research group, said that one of the scariest vulnerabilities of 2011 was described in Microsoft Security Bulletin MS11-020, which Microsoft rated as being critical in April.
"This bug was potentially a wormable remote code execution vulnerability in the Windows SMB stack," Cross said. The SMB (Server Message Block) network protocol provides shared access to resources and communication between nodes on Windows networks. Microsoft gave the MS11-020 vulnerability an exploitability score of 1, which meant that they expected public exploitation to happen quickly.
A major reason for security researchers' concern about MS11-020 was that a similar type of vulnerability helped to enable the notorious Conficker worm that threatened the Internet in 2009.
But that was then. It's now been nine months since the initial disclosure, and the MS11-020 vulnerability has done little or no damage whatsoever. Cross noted that there have been no public attacks against the vulnerability -- not even any proof-of-concept exploit code.
"In the SMBv2 context, there are a lot of features in the modern heap that protect the system from exploitation," Cross said. "So even if you were able to trigger it, it's a lot of work to get code execution out of something like this."
Cross said that, in general, it has become increasingly difficult to exploit vulnerabilities. He added that there are new features in Windows that are designed to help prevent vulnerabilities from turning into code execution. Those features are having an impact on the amount of exploitation that is happening.
"They have raised the bar to the point where today it is significantly challenging to get code execution out of a vulnerability, even though it is technically possible," Cross said.
Cross stressed that overall, there is a distinction between vulnerabilities, exploits, and attack activity. He noted that better software development processes will result in fewer vulnerabilities, while better operating system protections will result in fewer exploits. But Cross warned that neither better software nor improved operating systems necessarily translates into fewer attacks, as long as there are enough exploits out in the wild that attackers can use.
"The question is, can we reach a point in time where the opportunities for hackers are more limited than they are today," Cross said. "We are making the situation better and there is now a realistic belief that we can get to a point in the future where there are so few opportunities for attackers, that we will have an impact on the amount of attack activity."
Sean Michael Kerner is a senior editor at InternetNews.com, the news service of Internet.com, the network for technology professionals.