CANCUN–The skill of attackers, combined with the difficulty and cost of finding and fixing vulnerabilities in software–especially after deployment–has reached the point that it’s now more effective and efficient for vendors to concentrate on making life more difficult for those attackers looking to exploit bugs.

It’s accepted as a truism by software companies and security researchers that there’s no real way to write perfectly secure code. There will always be a bug somewhere, and trying to identify and fix all of them in an application of any real size is a brutally difficult task. With that in mind, software vendors such as Microsoft, Adobe and others have taken to developing technologies that are designed to mitigate the effectiveness of exploits the attackers are using.

“[Writing a completely secure application] is completely infeasible for the size programs we’re talking about. We’re trying to figure out what sort of mitigations we can put in place that drive up the cost of these exploits,” Brad Arkin, senior director of product security and privacy at Adobe, said in a keynote talk at the Kaspersky Lab-Threatpost Security Analyst Summit here Thursday. “My goal isn’t to find and fix every security bug. It’s to drive up the cost of writing exploits. We invest a lot of time in building up mitigations that increase the cost and complexity of writing exploits that will become reliable.”

Brad Arkin

Photo courtesy of Costin Raiu

Adobe, like Microsoft, has deployed exploit mitigations such as ASLR, DEP and sandboxes in the hopes of making it more expensive for the first attackers to write and use effective exploits. Because once the first exploit for a new bug is used, it then quickly becomes known and usable to a broad set of attackers and the race is on for the vendor to develop, test and push out a patch before too many of its customers are attacked. The people who are developing and using fresh exploits for vulnerabilities are generally the ones with considerable financial and technical resources, Arkin said, not the lone, financially motivated actors.

“The skill to write something the first time is very high, but the exploit can be adapted and modified very cheaply,” he said.

But the flip side of that coin is that once a new exploit is used, the clock starts ticking on its useful lifetime. Security researchers, defenders at the organizations that are being attacked and others quickly identify the exploit and, ideally, share it with the affected vendor. Once that’s done, the usefulness of the exploit drops precipitously.

“The first time you use it, there’s a very dramatic drop in its utility, because now the target has a copy,” Arkin said. “They might not know they have it, but now the risk that it will get caught and identified starts to increase the moment you use it.”

Arkin said that Adobe often will se a sharp spike in attacks against a new vulnerability in one of its products immediately following the release of a module for it in the Metasploit Framework.

“The biggest jump in exploits we see is right after the release of a Metasploit module,” he said. “We’ll see a few attacks a day before that and then it will spike to five thousand a day, and it goes up from there. There’s a correlation between the broader availability of an exploit and more people getting attacked.”


Categories: Government, Hacks, Vulnerabilities

Comments (2)

  1. Anonymous

    If the software compaines would quit building marketing into their products, exploits would decrease significantly.  For instance, every time Adobe puts in a new feature in PDF, it increases the possibilities of exploits.  When there is a conflict between security and marketing, marketing always wins.  Why not give just us a basic software product and leave it at that?  We don’t need all the bells/whistles that open the door to more exploits.  You’re just helping the exploit guys when you include feature designed more for marketing than real importance!


  2. Anonymous

    You fail to notice though, that aside for us boring security snobs…99% of other people want the bells and whistles and either don’t give a crap about security or believe that “it won’t happen to them”.

Comments are closed.