The Common Exposures and Vulnerabilities database has over 25 years of data on vulnerabilities in it. In this deck we dig through that database and use it to map out trends and general information on vulnerabilities in software in the last quarter century. For more information please visit our website: http://www.cisco.com/web/CA/index.html
Security Vulnerabilities in Modern Operating Systems
1.
2. Security Vulnerabilities in Modern Operating
Systems
T-SEC-18-B
Yves Younan
Senior Research Engineer
Vulnerability Research Team (Sourcefire, now part of Cisco)
3. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Overview
A look at more than 25 years of past vulnerabilities
– Based on the CVE/NVD data.
– CVE started in 1999, but includes historical data going back to 1988.
– NVD hosts all CVE information in addition to some extra data about vulnerability types,
etc.
– Based on Sourcefire report: http://www.sourcefire.com/25yearsofvulns
Updated (with data from 2013, 2014) and data from other sources
A look at the future
– What trends do we expect?
A look at exploitation trends based on other reports
What can we do to protect ourselves
4. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Vulnerabilities Past
Data from 1988-2013
– More than 59,800 vulnerabilities in this period
– Majority of vulnerabilities in the last half of this period
– Data has some issues though
Depending on reporting, a single CVE issue could cover multiple similar vulnerabilities or not
Sometimes product assignment is spotty (we’ve tried to clean this up a bit for mobile)
– Not correctly assigned to a product, multiple product names for the same product
Categories that are used are not very good and their assignment is not all that great
– Also a change in categories significantly
We use the “published date” provided by NVD to determine when a vulnerability was published:
CVE ids are generated based on when they are requested, not published, so small discrepancies
between ids and dates can exist around the end of the year
– For example: CVE-2013-6642 was published in 2014
5. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Common vulnerability scoring system
Analyst answers the following about the vulnerability:
– Impact on confidentiality, accessibility, integrity: low, partial, complete
– Access vector: local, adjacent network, remote
– Authentication required: none, single, multiple
Gives a base score of 0-10
We use the following in the stats:
CVSS >=7 is considered a serious vulnerability (include critical)
CVSS = 10 is considered a critical vulnerability
– Note: if insufficient information is available, NVD will consider the vulnerability to be critical
Gives us a measure of vulnerability impact, but can be a little
subjective
– One score, while multiple platforms may be affected, with different impacts
(e.g. due to mitigations)
11. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Vulnerabilities by Type
Common Weakness Enumeration creates a number of
categories for vulnerabilities
NVD uses a subset of CWE to categorize vulnerabilities:
– Authentication issues: not properly authenticating users
– Credentials management: password/credential
storage/transmission issues
– Access Control: permission errors, privilege errors, etc.
– Buffer error: buffer overflows, etc.
– CSRF: cross-site request forgery
– XSS: cross site scripting
12. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Vulnerabilities by Type
NVD CWE subset continued:
– Cryptographic issues: errors in crypto
– Path traversal: incorrectly handling input like “..”
– Code injection: executing scripting code or similar
– Format string vulnerability: when attackers control the format
specifier for a formatting function
– Configuration: errors in configuration
– Information leak: exposing sensitive information
– Input validation: lack of verifying input, overlaps with
other categories, kind of a misc. category
– Numeric errors: integer overflows, signedness errors, etc.
13. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Vulnerabilities by Type
NVD CWE subset continued:
– OS Command Injections: executing via command line
– Race conditions: time of check to time of use errors
– Resource management errors: memory leaks, consuming of
excess resources, etc.
– SQL injection
– Link following: following symlinks / hard links
14. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Vulnerabilities by Type
Buffer Errors
15%
XSS
13%
Access Control
11%
Input Validation
10%
SQL Injection
10%
Not enough info
8%
Code Injection
6%
Information Leak
5%
Resource
Management
5%
Path
Traversal
4%
Numeric
Errors
2%
Configuration
2%
Authentication
2%
Crypto
1%
Credentials
1%
CSRF
1%
Link
Following
1%
Race Conditions
1%
OS
Command
Injection
1%
[CATEGORY NAME]
[PERCENTAGE]
15. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Serious Vulnerabilities by Type
Buffer Errors
23%
SQL Injection
19%
Access Control
10%
Code Injection
10%
Not enough info
8%
Input Validation
8%
Resource
Management
4%
Path Traversal
3%
Numeric
Errors
2%
Authentication
2%
Configuration
2%
OS Command
Injection
2% Format String
1%
Credentials
1%
Information Leak
1%Crypto
1%
XSS
1%
16. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Critical Vulnerabilities by Type
Buffer Errors
35%
Not enough info
22%
Access Control
8%
Input Validation
6%
Code Injection
4%
Resource
Management
4%
OS Command
Injection
3%
Numeric Errors
3%
Configuration
3%
Authentication
3%
Credentials
2%
Format
String
2%
Path
Traversal
2%
SQL Injection
1%
Information Leak
1%
Crypto
1%
17. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Vulnerability Types Over the Years
0
500
1000
1500
2000
2500
3000
3500
781
1294
874 796 827
594 724
599
939
869 1100 951
515
164 223 277 390 460 422 469
708
921 569
572
548
673
734
719
148 183 229
285 338
187 303
777
572
144
215
250
175
302 474
83
147
1047
560
734
Not enough info
Code Injection
Configuration
Input Validation
Access Control
Buffer errors
SQL Injection
XSS
18. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Vulnerabilities by Vendor
NVD has information on affected product for 58,561
vulnerabilities
Top 10 vendors account for 16,696 vulnerabilities, more
than 28% of all vulnerabilities.
Some vendors have lots of products, which can result in
a higher total vulnerabilities count
We will also look at specific products later so we can
provide more extensive analysis
19. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Top 10 Vendors for Total Vulnerabilities
Microsoft, 3280
Apple, 2122
Oracle, 2025
IBM, 1802
Sun, 1558
Cisco, 1523
Mozilla, 1255
Linux, 1097
HP, 1037
Google, 997
20. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Top 10 Vendors for Serious Vulnerabilities
Microsoft, 1948
Apple, 921
Cisco, 830
Adobe, 757
Sun, 727
IBM, 662
Mozilla, 613
Oracle, 580
Google, 559 HP, 554
21. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Top 10 Vendors for Critical Vulnerabilities
Adobe, 300
Oracle, 287
Mozilla, 246
Sun, 235
HP, 235
IBM, 197
Microsoft, 183
Google, 113
Cisco, 97 Apple,
72
22. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Top 10 Vendors over the Years
0
100
200
300
400
500
600
Microsoft
Apple
Oracle
IBM
Sun
Cisco
Mozilla
Linux
HP
Google
23. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Top 10 Vendors, total number of distinct products
23
HP, 1291
Cisco, 889
IBM, 450
Microsoft, 361
Oracle, 232
Sun, 199
Apple, 92 Google, 32 Mozilla, 19 Linux, 7
24. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Top 10 vendors, unique CVEs to distinct products ratio
24
Linux, 156.7
Mozilla, 66.1
Google, 31.2
[CATEGORY
NAME], [VALUE]
Microsoft, 9.1
Oracle, 8.7 Sun, 7.8 IBM, 4 Cisco, 1.7 HP,
0.8
25. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Vulnerabilities by Product
Our vendor comparison gave us an idea who had to
deal with the most vulnerabilities
However, vendors have multiple products: having more
products, will usually result in suffering from more
vulnerabilities
– As was seen in the product versus CVE entry comparison
Here we look at product specific comparisons
– What products had the most vulnerabilities
Some caveats
– Some versions are considered distinct products
Every Windows version is a distinct product
26. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Top 10 Vulnerable Products
Linux Kernel, 1090
Firefox, 1013
Chrome, 886
Mac OSX, 847Windows XP, 717
Seamonkey, 628
Internet Explorer, 625
Mac OSX Server,
608
Thunderbird, 594 Solaris, 557
27. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Top 10 vulnerable products without shared code bases
27
Linux Kernel, 1090
Firefox, 1013
Chrome, 886
Mac OSX, 847
Windows XP, 717
Internet Explorer,
625
Solaris, 557
JRE, 496
Safari, 460
Linux, 396
28. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Top 10 vulnerable products, totaled with similar products
28
Linux+Redhat, 1895
All Windows, 1237
Mozilla Suite, 1046
Mac OS, 891
Chrome, 886
Internet Explorer, 625
Solaris, 590
JRE/JDK, 501
Safari, 460 PHP,
353
29. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Top 10 Seriously Vulnerable Products
Firefox, 529
Chrome, 513
Windows XP, 501
Thunderbird, 365Seamonkey, 364
Windows Vista, 346
Windows Server
2008, 337
Windows 2000, 311
Internet
Explorer, 307
Windows 2003
Server, 299
30. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Top 10 Seriously Vulnerable Products, totaled (similar)
30
All Windows, 755
Linux+Redhat, 567
Firefox, 539
Chrome, 513
Internet Explorer, 307
Mac OS X, 303
JDK/JRE, 289
Acrobat, 283
Solaris, 277
Flash/Air, 260
31. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Top 10 Critically Vulnerable Products
Firefox, 234
Thunderbird, 179
Seamonkey, 167
JRE, 152
JDK, 145
Flash Player, 134
Adobe Air, 119
Chrome, 99
Acrobat Reader, 96
Acrobat, 92
32. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Top 10 Critically Vulnerable Products, totalled (similar)
Mozilla suite, 238
JRE/JDK, 153
Flash/Air, 135
All Windows, 103
Linux+Redhat, 101
Chrome, 99
Acrobat, 96
Solaris, 61
Oracle Database, 54
AIX, 49
33. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Vulnerabilities by Windows Version
XP, 717
Server 2003, 618
Win 2000, 504Vista, 455
Server 2008, 450
Win 7, 325
NT, 247
Win 98, 89 Win 8, 63
Win Me, 57 Server 2012, 56 Win 95,
46
34. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Vulnerabilities by Mobile Phone OS
iPhone, 310
Windows, 49
Android, 36
BlackBerry, 13
35. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Vulnerabilities by Mobile Phone OS
Android, 166
iPhone, 164
Windows, 54
BlackBerry, 28
36. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Microsoft Bulletins
Contain information on all Microsoft vulnerabilities and
associated CVEs
Correlate the release dates of the bulletins with the
release dates of the CVEs
Gives us insight into how often vulnerabilities are 0 day
vulns
– If CVE is published before MS bulletin meaning that
vulnerability information was available before a response
from MS
No particular reason for choosing Microsoft, except that
they make the information easily available and usable
on their website
37. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
CVE Correlated with MS Bulletins
Bulletin published
before CVE, 1185
Bulletin published
with CVE, 818
Bulletin publised
after CVE, 268
38. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Microsoft 0 day vulnerabilities
If the MS correlation numbers carry over to other vendors: about 1 out of
every 10 vulnerabilities discovered is known by attackers before the vendor
can patch
– Security products will often not provide protection against these attacks until they
know about it
– Mitigations are more important in this respect
Attackers could possible evade them, but exploitation cost goes up significantly
Latest Windows/Linux have plenty of mitigations available by default: Windows 8 has
improved on many of them
EMET (Free MS tool) can enable protections to make it harder to exploit vulnerabilities in
Windows: e.g., better ASLR, RopGuard.
39. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Present
Let’s take a look at the first quarter of 2014: January 1st
until March 31st 2014
We will look at total vulnerabilities this year and severity
We will also look at the top 10 vendor and top 10
products for this quarter
Note: this data may not be completely up to date: while
the data was retrieved on April 1st, it may not include all
up to date information on a vulnerability, as this may be
updated later.
– This is especially true for the “unknown” vulnerabilities
40. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Total vulnerabilities: 2014
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
0
200
400
600
800
1000
1200
1400
1600
1800
2000
Q1 total Q1 >= 7 Q1 = 10
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
41. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Vulnerability types: 2014
Not enough info
16%
XSS
16%
Buffer Errors
13%
Access Control
13%
Input Validation
10%
SQL
Injection
5%
Resource
Management
5%
Path
Traversal
4%
Information Leak
3%
CSRF
3%
Crypto
3%
Authentication
2%
Numeric Errors
2%
Credentials
2%
Code Injection
2%
Link Following
1% Race Conditions
1%
OS Command
Injection
1%
42. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Top 10 Products: 2014
Internet Explorer, 43
Firefox, 37
JDK, 36
JRE, 36
Chrome, 35
Owncloud, 34
Seamonkey, 32
Linux Kernel, 28
iPhone, 24
Thunderbird, 21
43. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Future
Plenty of static analysis tools, mitigations, etc. yet buffer overflows
remain a very important vulnerability now and will probably will in
the future too
Access control / privilege issues will continue to remain important
in large part due to better privilege separation
Google will probably start moving up the top 10 more, it entered it
for the first time this year, displacing Adobe
Fewer vulnerabilities were reported in 2013
– Serious vulnerabilities have remained stable at 1/3rd of the
vulnerabilities
– Critical vulnerabilities have also remained stable at 1/10th of all
vulnerabilities
– In 2014 more vulnerabilities have been reported, slight lower
percentage of serious (but the same in absolute terms), but less critical
ones
44. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Vulnerabilities are not the same thing as exploits
Some vulnerabilities end up not being practically exploitable
– Mitigations
– Too much effort required
– Very specific environmental requirements
Not reliable
CVSS doesn’t really take environmental concerns into account
Microsoft study on exploits: Software Vulnerability Exploitation Trends
http://www.microsoft.com/en-us/download/details.aspx?id=39680
Cisco 2014 Annual Security Report
http://www.cisco.com/web/offers/lp/2014-annual-security-report/index.html
45. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Exploits and exploitation
From Microsoft’s study:
– Looked at a number of vulnerabilities that were classified as remote code execution
(RCE): 06-12
Looked at about 800 vulnerabilities
29% were exploited, rest of vulnerabilities were not exploited
Most vulnerabilities are exploited after patch, but an increasing number of 0day vulnerabilities are
being exploited
Trends shows that fewer vulnerabilities are being exploited since 2012, coincides with the adoption of
Windows 7 and IE10
However, there was a lull in 2007 and 2008 too, after Vista was released (the first Windows with real
mitigations)
– Could mean that this is a similar lull with improved mitigations in both Windows 7 and IE10
In 2012 there were no new exploits vulnerabilities for Windows 2000
– Windows 2000 was end-of-lifed in 2010, so no need for many new vulnerabilities since then, impact could be
interesting for XP
46. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Exploits and exploitation
Microsoft Study also found that
– Stack-based buffer overflows were massively exploited in
2006-2009
Decline since then: probably due to mitigations
– Heap corruption remained popular entire time
– Increased exploitation of use after free vulnerabilities
Most exploited vulnerability for Windows 7 and Vista
Occurs more in client-side applications (browsers)
No mitigations that address use-after-free specifically
– Study also looks at exploitation techniques
Exploits increasingly make use of mitigation bypasses
47. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Exploits and exploitation
Cisco Report:
– For web exploits, Java vulnerabilities are the most exploited by attackers:
91% of indicators of compromise monitored by FireAMP were related to Java
Far fewer related to Flash or PDF
– 1.2% of all web malware target a specific mobile device
– 99% of all that malware targets Android, 0.84% targets J2ME devices (the
second most popular target)
– Most frequently occurring mobile malware was Andr/Qdplugin-A: 43.8%
Frequently repackaged in legitimate apps distributed on unofficial marketplaces
– General malware types: trojans, 64%; adware 20%, worms 8% and viruses
4%
48. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Trends
Major software projects from important vendors still
have plenty of vulnerabilities
– Some vendors spend a lot of money and effort to improve
the security of their products
– They still suffer from significant vulnerabilities
– Software is more secure today than it has ever been
– Compromises continue
– As with other fields, defenders have to be lucky all the time,
while attackers only need to be lucky once
– Make it as hard as possible for attackers by enabling
mitigations, ensuring significant access control
49. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Trends
Browsers are a very important point of attack
Vulnerabilities in browsers themselves
– Major browsers are all 3 categories of top 10 of vulnerable products
– Vulnerabilities in file formats parsed by plugins
Media files
PDF: in serious and critical top 10
Java: in all 3 top 10 categories
Flash: also in serious and critical top 10
– Important to run latest browsers:
IE10 and Chrome have invested a lot in mitigations
Disable plugins you don’t need: Java, PDF, etc.
50. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Trends
Mobile phones also suffer from plenty of vulns:
Ensuring adequate protection on phones (AV, MDM,
etc.) is important
Malware is important on mobile phones too, not just
vulnerabilities
– Mobile Device Management can help against malware, but
doesn’t really help against vulnerabilities
– Much harder for a user to determine “safe” software
On PC, legitimate software is acquired from a number of
trusted sources
On app stores (mainly Android), everything looks legitimate
51. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Plan for compromise
Attackers breaking in is not inevitable, but a real
possibility that must be considered given the number of
vulnerabilities
Breaking in doesn’t mean total compromise
Client-side vulnerabilities are very important these days
Users have a higher risk of being compromised
Identify most important assets
Identify risks to those assets
Mitigate risk
Access control (firewalls on internal servers)
Internal detection (IDS/IPS for those servers)
Use SSL/other encryption internally too
52. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Plan for compromise
Have an incident response plan
Define what an incident is
Establish areas of responsibility for investigation and recovery
Containment
Can you contain the attacker quickly
What steps are required to recover from an incident
Recovery may be different depending on the type of incident
Determine how to restore asset quickly if compromised
Need to identify way of entry to prevent future compromises
Retrospective security can help with this
Examine extent of intrusion: e.g., must all users change passwords?
53. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Conclusion
Microsoft has significantly improved in the last couple of
years, their browser and mobile OS are better than their
competitors in terms of vulnerabilities discovered
Google’s entry into the consumer software and hardware
(as opposed to running a web service) has been
accompanied by a significant number of vulnerabilities
Oracle’s acquisition of Sun has brought quite a number of
extra vulnerabilities under the Oracle banner, some are
even still counted as Sun right now
54. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Conclusion
Vulnerabilities are here to stay
– While serious vulnerabilities have been in decline, total vulnerabilities
are not and neither are critical
– At some point many vendors thought that hunting for enough
vulnerabilities would make software secure
– New features increase the attack surface or make previously non-
exploitable errors exploitable
– Using several non-serious vulnerabilities in concert could result in a
more serious issue
– Buffer overflows have been around for 25 years yet are still one of the
top vulnerabilities
Full report (up to 2012) available via
http://www.sourcefire.com/25yearsofvulns
Get rid of XP: end of life was last week, no more security
updates