Security Vulnerabilities in Modern Operating
Systems
T-SEC-18-B
Yves Younan
Senior Research Engineer
Vulnerability Researc...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Overview
 A look at more than 25 years of past v...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Vulnerabilities Past
 Data from 1988-2013
– More...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Common vulnerability scoring system
 Analyst ans...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Total Vulnerabilities by Year
2 3 11 15 13 13 25 ...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Total Serious Vulnerabilities
2 2 8 11 12 8 14 17...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Serious Vulnerabilities Percentage of All Vulnera...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Total Critical Vulnerabilities
2 1 1 4 3 2 1 7 8
...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Critical Vulnerabilities Percentage of All Vulner...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Vulnerabilities by Type
 Common Weakness Enumera...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Vulnerabilities by Type
 NVD CWE subset continue...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Vulnerabilities by Type
 NVD CWE subset continue...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Vulnerabilities by Type
Buffer Errors
15%
XSS
13%...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Serious Vulnerabilities by Type
Buffer Errors
23%...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Critical Vulnerabilities by Type
Buffer Errors
35...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Vulnerability Types Over the Years
0
500
1000
150...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Vulnerabilities by Vendor
 NVD has information o...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Top 10 Vendors for Total Vulnerabilities
Microsof...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Top 10 Vendors for Serious Vulnerabilities
Micros...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Top 10 Vendors for Critical Vulnerabilities
Adobe...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Top 10 Vendors over the Years
0
100
200
300
400
5...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Top 10 Vendors, total number of distinct products...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Top 10 vendors, unique CVEs to distinct products ...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Vulnerabilities by Product
 Our vendor compariso...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Top 10 Vulnerable Products
Linux Kernel, 1090
Fir...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Top 10 vulnerable products without shared code ba...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Top 10 vulnerable products, totaled with similar ...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Top 10 Seriously Vulnerable Products
Firefox, 529...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Top 10 Seriously Vulnerable Products, totaled (si...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Top 10 Critically Vulnerable Products
Firefox, 23...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Top 10 Critically Vulnerable Products, totalled (...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Vulnerabilities by Windows Version
XP, 717
Server...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Vulnerabilities by Mobile Phone OS
iPhone, 310
Wi...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Vulnerabilities by Mobile Phone OS
Android, 166
i...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Microsoft Bulletins
 Contain information on all ...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
CVE Correlated with MS Bulletins
Bulletin publish...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Microsoft 0 day vulnerabilities
 If the MS corre...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Present
 Let’s take a look at the first quarter ...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Total vulnerabilities: 2014
2005
2006
2007
2008
2...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Vulnerability types: 2014
Not enough info
16%
XSS...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Top 10 Products: 2014
Internet Explorer, 43
Firef...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Future
 Plenty of static analysis tools, mitigat...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Vulnerabilities are not the same thing as exploit...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Exploits and exploitation
 From Microsoft’s stud...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Exploits and exploitation
 Microsoft Study also ...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Exploits and exploitation
 Cisco Report:
– For w...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Trends
 Major software projects from important v...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Trends
 Browsers are a very important point of a...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Trends
 Mobile phones also suffer from plenty of...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Plan for compromise
 Attackers breaking in is no...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Plan for compromise
 Have an incident response p...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Conclusion
 Microsoft has significantly improved...
Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Conclusion
 Vulnerabilities are here to stay
– W...
Security Vulnerabilities in Modern Operating Systems
Security Vulnerabilities in Modern Operating Systems
Upcoming SlideShare
Loading in …5
×

Security Vulnerabilities in Modern Operating Systems

3,271 views

Published on

The Common Exposures and Vulnerabilities database has over 25 years of data on vulnerabilities in it. In this deck we dig through that database and use it to map out trends and general information on vulnerabilities in software in the last quarter century. For more information please visit our website: http://www.cisco.com/web/CA/index.html

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,271
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
105
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Security Vulnerabilities in Modern Operating Systems

  1. 1. Security Vulnerabilities in Modern Operating Systems T-SEC-18-B Yves Younan Senior Research Engineer Vulnerability Research Team (Sourcefire, now part of Cisco)
  2. 2. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Overview  A look at more than 25 years of past vulnerabilities – Based on the CVE/NVD data. – CVE started in 1999, but includes historical data going back to 1988. – NVD hosts all CVE information in addition to some extra data about vulnerability types, etc. – Based on Sourcefire report: http://www.sourcefire.com/25yearsofvulns  Updated (with data from 2013, 2014) and data from other sources  A look at the future – What trends do we expect?  A look at exploitation trends based on other reports  What can we do to protect ourselves
  3. 3. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Vulnerabilities Past  Data from 1988-2013 – More than 59,800 vulnerabilities in this period – Majority of vulnerabilities in the last half of this period – Data has some issues though  Depending on reporting, a single CVE issue could cover multiple similar vulnerabilities or not  Sometimes product assignment is spotty (we’ve tried to clean this up a bit for mobile) – Not correctly assigned to a product, multiple product names for the same product  Categories that are used are not very good and their assignment is not all that great – Also a change in categories significantly  We use the “published date” provided by NVD to determine when a vulnerability was published: CVE ids are generated based on when they are requested, not published, so small discrepancies between ids and dates can exist around the end of the year – For example: CVE-2013-6642 was published in 2014
  4. 4. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Common vulnerability scoring system  Analyst answers the following about the vulnerability: – Impact on confidentiality, accessibility, integrity: low, partial, complete – Access vector: local, adjacent network, remote – Authentication required: none, single, multiple  Gives a base score of 0-10  We use the following in the stats:  CVSS >=7 is considered a serious vulnerability (include critical)  CVSS = 10 is considered a critical vulnerability – Note: if insufficient information is available, NVD will consider the vulnerability to be critical  Gives us a measure of vulnerability impact, but can be a little subjective – One score, while multiple platforms may be affected, with different impacts (e.g. due to mitigations)
  5. 5. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Total Vulnerabilities by Year 2 3 11 15 13 13 25 25 75 252 246 894 1020 1677 2156 1528 2451 4931 6609 6516 5636 5731 4638 4151 5281 4747 0 1000 2000 3000 4000 5000 6000 7000 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
  6. 6. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Total Serious Vulnerabilities 2 2 8 11 12 8 14 17 45 145 133 424 452 772 1002 678 970 2037 2761 3159 2838 2714 2084 1821 1772 1638 0 500 1000 1500 2000 2500 3000 3500 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
  7. 7. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Serious Vulnerabilities Percentage of All Vulnerabilities 100 66.67 72.7373.33 92.31 61.54 56 68 60 57.54 54.07 47.43 44.3146.0346.47 44.37 39.5841.3141.78 48.4850.35 47.36 44.9343.87 33.5534.51 0 20 40 60 80 100 120 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
  8. 8. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Total Critical Vulnerabilities 2 1 1 4 3 2 1 7 8 24 23 161 142 149 155 119 211 284 274 475 425 373 258 387 483 437 0 100 200 300 400 500 600 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
  9. 9. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Critical Vulnerabilities Percentage of All Vulnerabilities 100 33.33 9.09 26.67 23.08 15.38 4 28 10.67 9.52 9.35 18.01 13.92 8.88 7.19 7.79 8.61 5.76 4.15 7.29 7.54 6.51 5.56 9.32 9.15 9.21 0 20 40 60 80 100 120 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
  10. 10. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Vulnerabilities by Type  Common Weakness Enumeration creates a number of categories for vulnerabilities  NVD uses a subset of CWE to categorize vulnerabilities: – Authentication issues: not properly authenticating users – Credentials management: password/credential storage/transmission issues – Access Control: permission errors, privilege errors, etc. – Buffer error: buffer overflows, etc. – CSRF: cross-site request forgery – XSS: cross site scripting
  11. 11. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Vulnerabilities by Type  NVD CWE subset continued: – Cryptographic issues: errors in crypto – Path traversal: incorrectly handling input like “..” – Code injection: executing scripting code or similar – Format string vulnerability: when attackers control the format specifier for a formatting function – Configuration: errors in configuration – Information leak: exposing sensitive information – Input validation: lack of verifying input, overlaps with other categories, kind of a misc. category – Numeric errors: integer overflows, signedness errors, etc.
  12. 12. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Vulnerabilities by Type  NVD CWE subset continued: – OS Command Injections: executing via command line – Race conditions: time of check to time of use errors – Resource management errors: memory leaks, consuming of excess resources, etc. – SQL injection – Link following: following symlinks / hard links
  13. 13. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Vulnerabilities by Type Buffer Errors 15% XSS 13% Access Control 11% Input Validation 10% SQL Injection 10% Not enough info 8% Code Injection 6% Information Leak 5% Resource Management 5% Path Traversal 4% Numeric Errors 2% Configuration 2% Authentication 2% Crypto 1% Credentials 1% CSRF 1% Link Following 1% Race Conditions 1% OS Command Injection 1% [CATEGORY NAME] [PERCENTAGE]
  14. 14. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Serious Vulnerabilities by Type Buffer Errors 23% SQL Injection 19% Access Control 10% Code Injection 10% Not enough info 8% Input Validation 8% Resource Management 4% Path Traversal 3% Numeric Errors 2% Authentication 2% Configuration 2% OS Command Injection 2% Format String 1% Credentials 1% Information Leak 1%Crypto 1% XSS 1%
  15. 15. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Critical Vulnerabilities by Type Buffer Errors 35% Not enough info 22% Access Control 8% Input Validation 6% Code Injection 4% Resource Management 4% OS Command Injection 3% Numeric Errors 3% Configuration 3% Authentication 3% Credentials 2% Format String 2% Path Traversal 2% SQL Injection 1% Information Leak 1% Crypto 1%
  16. 16. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Vulnerability Types Over the Years 0 500 1000 1500 2000 2500 3000 3500 781 1294 874 796 827 594 724 599 939 869 1100 951 515 164 223 277 390 460 422 469 708 921 569 572 548 673 734 719 148 183 229 285 338 187 303 777 572 144 215 250 175 302 474 83 147 1047 560 734 Not enough info Code Injection Configuration Input Validation Access Control Buffer errors SQL Injection XSS
  17. 17. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Vulnerabilities by Vendor  NVD has information on affected product for 58,561 vulnerabilities  Top 10 vendors account for 16,696 vulnerabilities, more than 28% of all vulnerabilities.  Some vendors have lots of products, which can result in a higher total vulnerabilities count  We will also look at specific products later so we can provide more extensive analysis
  18. 18. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Top 10 Vendors for Total Vulnerabilities Microsoft, 3280 Apple, 2122 Oracle, 2025 IBM, 1802 Sun, 1558 Cisco, 1523 Mozilla, 1255 Linux, 1097 HP, 1037 Google, 997
  19. 19. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Top 10 Vendors for Serious Vulnerabilities Microsoft, 1948 Apple, 921 Cisco, 830 Adobe, 757 Sun, 727 IBM, 662 Mozilla, 613 Oracle, 580 Google, 559 HP, 554
  20. 20. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Top 10 Vendors for Critical Vulnerabilities Adobe, 300 Oracle, 287 Mozilla, 246 Sun, 235 HP, 235 IBM, 197 Microsoft, 183 Google, 113 Cisco, 97 Apple, 72
  21. 21. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Top 10 Vendors over the Years 0 100 200 300 400 500 600 Microsoft Apple Oracle IBM Sun Cisco Mozilla Linux HP Google
  22. 22. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Top 10 Vendors, total number of distinct products 23 HP, 1291 Cisco, 889 IBM, 450 Microsoft, 361 Oracle, 232 Sun, 199 Apple, 92 Google, 32 Mozilla, 19 Linux, 7
  23. 23. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Top 10 vendors, unique CVEs to distinct products ratio 24 Linux, 156.7 Mozilla, 66.1 Google, 31.2 [CATEGORY NAME], [VALUE] Microsoft, 9.1 Oracle, 8.7 Sun, 7.8 IBM, 4 Cisco, 1.7 HP, 0.8
  24. 24. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Vulnerabilities by Product  Our vendor comparison gave us an idea who had to deal with the most vulnerabilities  However, vendors have multiple products: having more products, will usually result in suffering from more vulnerabilities – As was seen in the product versus CVE entry comparison  Here we look at product specific comparisons – What products had the most vulnerabilities  Some caveats – Some versions are considered distinct products  Every Windows version is a distinct product
  25. 25. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Top 10 Vulnerable Products Linux Kernel, 1090 Firefox, 1013 Chrome, 886 Mac OSX, 847Windows XP, 717 Seamonkey, 628 Internet Explorer, 625 Mac OSX Server, 608 Thunderbird, 594 Solaris, 557
  26. 26. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Top 10 vulnerable products without shared code bases 27 Linux Kernel, 1090 Firefox, 1013 Chrome, 886 Mac OSX, 847 Windows XP, 717 Internet Explorer, 625 Solaris, 557 JRE, 496 Safari, 460 Linux, 396
  27. 27. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Top 10 vulnerable products, totaled with similar products 28 Linux+Redhat, 1895 All Windows, 1237 Mozilla Suite, 1046 Mac OS, 891 Chrome, 886 Internet Explorer, 625 Solaris, 590 JRE/JDK, 501 Safari, 460 PHP, 353
  28. 28. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Top 10 Seriously Vulnerable Products Firefox, 529 Chrome, 513 Windows XP, 501 Thunderbird, 365Seamonkey, 364 Windows Vista, 346 Windows Server 2008, 337 Windows 2000, 311 Internet Explorer, 307 Windows 2003 Server, 299
  29. 29. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Top 10 Seriously Vulnerable Products, totaled (similar) 30 All Windows, 755 Linux+Redhat, 567 Firefox, 539 Chrome, 513 Internet Explorer, 307 Mac OS X, 303 JDK/JRE, 289 Acrobat, 283 Solaris, 277 Flash/Air, 260
  30. 30. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Top 10 Critically Vulnerable Products Firefox, 234 Thunderbird, 179 Seamonkey, 167 JRE, 152 JDK, 145 Flash Player, 134 Adobe Air, 119 Chrome, 99 Acrobat Reader, 96 Acrobat, 92
  31. 31. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Top 10 Critically Vulnerable Products, totalled (similar) Mozilla suite, 238 JRE/JDK, 153 Flash/Air, 135 All Windows, 103 Linux+Redhat, 101 Chrome, 99 Acrobat, 96 Solaris, 61 Oracle Database, 54 AIX, 49
  32. 32. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Vulnerabilities by Windows Version XP, 717 Server 2003, 618 Win 2000, 504Vista, 455 Server 2008, 450 Win 7, 325 NT, 247 Win 98, 89 Win 8, 63 Win Me, 57 Server 2012, 56 Win 95, 46
  33. 33. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Vulnerabilities by Mobile Phone OS iPhone, 310 Windows, 49 Android, 36 BlackBerry, 13
  34. 34. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Vulnerabilities by Mobile Phone OS Android, 166 iPhone, 164 Windows, 54 BlackBerry, 28
  35. 35. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Microsoft Bulletins  Contain information on all Microsoft vulnerabilities and associated CVEs  Correlate the release dates of the bulletins with the release dates of the CVEs  Gives us insight into how often vulnerabilities are 0 day vulns – If CVE is published before MS bulletin meaning that vulnerability information was available before a response from MS  No particular reason for choosing Microsoft, except that they make the information easily available and usable on their website
  36. 36. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public CVE Correlated with MS Bulletins Bulletin published before CVE, 1185 Bulletin published with CVE, 818 Bulletin publised after CVE, 268
  37. 37. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Microsoft 0 day vulnerabilities  If the MS correlation numbers carry over to other vendors: about 1 out of every 10 vulnerabilities discovered is known by attackers before the vendor can patch – Security products will often not provide protection against these attacks until they know about it – Mitigations are more important in this respect  Attackers could possible evade them, but exploitation cost goes up significantly  Latest Windows/Linux have plenty of mitigations available by default: Windows 8 has improved on many of them  EMET (Free MS tool) can enable protections to make it harder to exploit vulnerabilities in Windows: e.g., better ASLR, RopGuard.
  38. 38. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Present  Let’s take a look at the first quarter of 2014: January 1st until March 31st 2014  We will look at total vulnerabilities this year and severity  We will also look at the top 10 vendor and top 10 products for this quarter  Note: this data may not be completely up to date: while the data was retrieved on April 1st, it may not include all up to date information on a vulnerability, as this may be updated later. – This is especially true for the “unknown” vulnerabilities
  39. 39. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Total vulnerabilities: 2014 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 0 200 400 600 800 1000 1200 1400 1600 1800 2000 Q1 total Q1 >= 7 Q1 = 10 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
  40. 40. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Vulnerability types: 2014 Not enough info 16% XSS 16% Buffer Errors 13% Access Control 13% Input Validation 10% SQL Injection 5% Resource Management 5% Path Traversal 4% Information Leak 3% CSRF 3% Crypto 3% Authentication 2% Numeric Errors 2% Credentials 2% Code Injection 2% Link Following 1% Race Conditions 1% OS Command Injection 1%
  41. 41. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Top 10 Products: 2014 Internet Explorer, 43 Firefox, 37 JDK, 36 JRE, 36 Chrome, 35 Owncloud, 34 Seamonkey, 32 Linux Kernel, 28 iPhone, 24 Thunderbird, 21
  42. 42. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Future  Plenty of static analysis tools, mitigations, etc. yet buffer overflows remain a very important vulnerability now and will probably will in the future too  Access control / privilege issues will continue to remain important in large part due to better privilege separation  Google will probably start moving up the top 10 more, it entered it for the first time this year, displacing Adobe  Fewer vulnerabilities were reported in 2013 – Serious vulnerabilities have remained stable at 1/3rd of the vulnerabilities – Critical vulnerabilities have also remained stable at 1/10th of all vulnerabilities – In 2014 more vulnerabilities have been reported, slight lower percentage of serious (but the same in absolute terms), but less critical ones
  43. 43. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Vulnerabilities are not the same thing as exploits  Some vulnerabilities end up not being practically exploitable – Mitigations – Too much effort required – Very specific environmental requirements  Not reliable  CVSS doesn’t really take environmental concerns into account  Microsoft study on exploits: Software Vulnerability Exploitation Trends  http://www.microsoft.com/en-us/download/details.aspx?id=39680  Cisco 2014 Annual Security Report  http://www.cisco.com/web/offers/lp/2014-annual-security-report/index.html
  44. 44. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Exploits and exploitation  From Microsoft’s study: – Looked at a number of vulnerabilities that were classified as remote code execution (RCE): 06-12  Looked at about 800 vulnerabilities  29% were exploited, rest of vulnerabilities were not exploited  Most vulnerabilities are exploited after patch, but an increasing number of 0day vulnerabilities are being exploited  Trends shows that fewer vulnerabilities are being exploited since 2012, coincides with the adoption of Windows 7 and IE10  However, there was a lull in 2007 and 2008 too, after Vista was released (the first Windows with real mitigations) – Could mean that this is a similar lull with improved mitigations in both Windows 7 and IE10  In 2012 there were no new exploits vulnerabilities for Windows 2000 – Windows 2000 was end-of-lifed in 2010, so no need for many new vulnerabilities since then, impact could be interesting for XP
  45. 45. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Exploits and exploitation  Microsoft Study also found that – Stack-based buffer overflows were massively exploited in 2006-2009  Decline since then: probably due to mitigations – Heap corruption remained popular entire time – Increased exploitation of use after free vulnerabilities  Most exploited vulnerability for Windows 7 and Vista  Occurs more in client-side applications (browsers)  No mitigations that address use-after-free specifically – Study also looks at exploitation techniques  Exploits increasingly make use of mitigation bypasses
  46. 46. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Exploits and exploitation  Cisco Report: – For web exploits, Java vulnerabilities are the most exploited by attackers: 91% of indicators of compromise monitored by FireAMP were related to Java  Far fewer related to Flash or PDF – 1.2% of all web malware target a specific mobile device – 99% of all that malware targets Android, 0.84% targets J2ME devices (the second most popular target) – Most frequently occurring mobile malware was Andr/Qdplugin-A: 43.8%  Frequently repackaged in legitimate apps distributed on unofficial marketplaces – General malware types: trojans, 64%; adware 20%, worms 8% and viruses 4%
  47. 47. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Trends  Major software projects from important vendors still have plenty of vulnerabilities – Some vendors spend a lot of money and effort to improve the security of their products – They still suffer from significant vulnerabilities – Software is more secure today than it has ever been – Compromises continue – As with other fields, defenders have to be lucky all the time, while attackers only need to be lucky once – Make it as hard as possible for attackers by enabling mitigations, ensuring significant access control
  48. 48. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Trends  Browsers are a very important point of attack  Vulnerabilities in browsers themselves – Major browsers are all 3 categories of top 10 of vulnerable products – Vulnerabilities in file formats parsed by plugins  Media files  PDF: in serious and critical top 10  Java: in all 3 top 10 categories  Flash: also in serious and critical top 10 – Important to run latest browsers:  IE10 and Chrome have invested a lot in mitigations  Disable plugins you don’t need: Java, PDF, etc.
  49. 49. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Trends  Mobile phones also suffer from plenty of vulns:  Ensuring adequate protection on phones (AV, MDM, etc.) is important  Malware is important on mobile phones too, not just vulnerabilities – Mobile Device Management can help against malware, but doesn’t really help against vulnerabilities – Much harder for a user to determine “safe” software  On PC, legitimate software is acquired from a number of trusted sources  On app stores (mainly Android), everything looks legitimate
  50. 50. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Plan for compromise  Attackers breaking in is not inevitable, but a real possibility that must be considered given the number of vulnerabilities  Breaking in doesn’t mean total compromise  Client-side vulnerabilities are very important these days  Users have a higher risk of being compromised  Identify most important assets  Identify risks to those assets  Mitigate risk  Access control (firewalls on internal servers)  Internal detection (IDS/IPS for those servers)  Use SSL/other encryption internally too
  51. 51. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Plan for compromise  Have an incident response plan  Define what an incident is  Establish areas of responsibility for investigation and recovery  Containment  Can you contain the attacker quickly  What steps are required to recover from an incident  Recovery may be different depending on the type of incident  Determine how to restore asset quickly if compromised  Need to identify way of entry to prevent future compromises  Retrospective security can help with this  Examine extent of intrusion: e.g., must all users change passwords?
  52. 52. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Conclusion  Microsoft has significantly improved in the last couple of years, their browser and mobile OS are better than their competitors in terms of vulnerabilities discovered  Google’s entry into the consumer software and hardware (as opposed to running a web service) has been accompanied by a significant number of vulnerabilities  Oracle’s acquisition of Sun has brought quite a number of extra vulnerabilities under the Oracle banner, some are even still counted as Sun right now
  53. 53. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public Conclusion  Vulnerabilities are here to stay – While serious vulnerabilities have been in decline, total vulnerabilities are not and neither are critical – At some point many vendors thought that hunting for enough vulnerabilities would make software secure – New features increase the attack surface or make previously non- exploitable errors exploitable – Using several non-serious vulnerabilities in concert could result in a more serious issue – Buffer overflows have been around for 25 years yet are still one of the top vulnerabilities  Full report (up to 2012) available via http://www.sourcefire.com/25yearsofvulns  Get rid of XP: end of life was last week, no more security updates

×