Re: Russ Cooper's AusCERT Presentation on MS Security Bulletins

• Previous message: George Boswell: "MS Knowledge Base articles can be misleading"
• Maybe in reply to: Russ: "Russ Cooper's AusCERT Presentation on MS Security Bulletins"
• Next in thread: Bryan Harrell: "Re: Russ Cooper's AusCERT Presentation on MS Security Bulletins"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Fri, 4 Jun 2004 11:31:30 -0700
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

> -----Original Message-----
> From: Windows NTBugtraq Mailing List
> [mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM] On Behalf Of Russ
> Sent: Wednesday, June 02, 2004 10:43 AM
> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
> Subject: Russ Cooper's AusCERT Presentation on MS Security Bulletins
>
> Howdy,
>
> As you may have heard, I did a presentation last week at the 2004
> AusCERT Conference in Gold Coast, Australia.
>
> My presentation was the culmination of analysis I performed on all
> Microsoft Security Bulletins published by Microsoft from
> January 1, 2000
> to date. I analyzed the *vulnerabilities*, dissecting each
> bulletin into
> their respective vulnerabilities. As we all know, each bulletin MS
> produces may involve numerous vulnerabilities. In addition,
> vulnerabilities addressed by a bulletin may affect some
> versions but not
> others. I tabulated all of this information based on the facts in the
> bulletins.
>
> The purpose of this was to address a common problem I see in
> the media,
> namely, attempting to use the count of bulletins in comparisons with
> other OS'. Patch count comparisons serve no purpose, but counting
> patched vulnerabilities, IMO, is a more accurate comparison. In
> addition, I grouped vulnerability counts according to whether they'd
> likely affect desktop, server, and IIS servers. Again, comparing raw
> numbers for "Windows" against other OS' isn't a correct comparison
> either, so using numbers based on a role made more sense to me.

<snip - noting the paragraphs which were below>

It might be noted that while modern x86 and related operating systems
have grown, so too, has the field of bugfinding, and it has grown
exponentially.

The vast majority of the fixed security issues we see in security
bulletins are bugs found in existing products in the wild. This is
by the security "community".

Bugfinders have some reason for looking for issues in other Operating
Systems. Every Operating System and its' set of applications presents
challenges. But, the bottomline is that Microsoft products have far,
far more users then any other Operating System -- and this attracts more
bugfinders.

What do you want to do... find a bug that effects tens of thousands
of users... or find a bug that effects hundreds of millions of users?

This said... there are always products out there which offer a proper
challenge to a bugfinder... but have a lesser user base. Some of these
products like Apache or SSH or IOS have the potential to affect just
as many people by striking at the heart of the whole internet system.

And, it might be noted, for myself, anyway, Unix derived Operating
Systems and their applications are always "right there". It is very
hard for us to understand or believe that there could be so many
Window's users at times. Because it seems like every other person
we know does not use it. But, then we look at the numbers.

I often read in some such article or some such post by someone
that has no idea of what they are talking about... about how
"insecure" Microsoft products are, or about how much more secure
their own Operating System is... even though the OS they are
speaking of is closely classed according to the Microsoft OS.

In fact, they are basing their judgments solely on the fact
that there are so many Window's virii and security holes. But, the
reason security bugs are found in Windows and the reason people
write virii for Windows is the proliferation of Windows. One might
make the exact same argument for why there are more cool
games on Windows.

It is entirely absurd and everyone knows it.

It is supply and demand. People may write on "supply and demand",
they may counter it -- as if someone just invented it one day... they
may pretend that such forces do not exist. They may deceive themselves
for whatever reason. But, the bottomline is this is how it works,
this is reality, not some figment of someone's imagination.

> I stressed that, IMO, far too much effort is being placed on
> patching IE
> vulnerabilities. To the best of my knowledge, only 2
> wide-spread attacks
> have occurred involving IE vulnerabilities, yet there have
> been at least
> 83 vulnerabilities patched for IE. Clearly a lot of effort is being
> spent patching vulnerabilities which have not resulted in
> exploits, IMO,
> a large waste of Corporate resources.

Many of each year's top virii are written on Internet Explorer
holes... this has been true for many years now. There are many
reasons for this. One of them is that many people are in someway
"firewalled" or "natted" and that IE attacks will bypass this
kind of thing.

At this time, there is a huge market for IE security holes because
of the proliferation of spyware. The bad guys have put the dollar
to the map here. This is generally yet to be elsewhere. This is
a reason of late for the proliferation of IE worms and such using
security vulnerabilities very new, very poorly documented. There are
guys out there carefully studying this work specifically to make
easy money.

These things said, I don't want people without common sense thinking
that security researchers get some kind of rush out of that. If we
did, we wouldn't be keeping our security holes secret, we wouldn't
be using the full disclosure channels at all. We would be hacking
hundreds of millions of systems ourselves and living in the Caymans
right now. It is very, very hard to stop security holes no one knows
about. We are all very fortunate so few security vulnerabilities in
the wild have been undisclosed security vulnerabilities.

And, we can expect, knowing the laws of supply and demand, that this
trend will inevitably change somewhat.

Fortunately, the products have grown much, much more secure because
of the full disclosure community already. If we were faced with immature
products with a mature bugfinding community... we would not have a
chance.

<snip>

-----
NTBugtraq Editor's Note:

Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you''ll have to copy their email address out of the message and place it in your TO: field.
-----

• Previous message: George Boswell: "MS Knowledge Base articles can be misleading"
• Maybe in reply to: Russ: "Russ Cooper's AusCERT Presentation on MS Security Bulletins"
• Next in thread: Bryan Harrell: "Re: Russ Cooper's AusCERT Presentation on MS Security Bulletins"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]