SAN FRANCISCO–One of the downsides to being a software company with a huge customer base is that your products are going to be prime targets for attackers. But the flip side to that coin is that you’re going to gather a lot of data about vulnerabilities and attacks.
Microsoft has been collecting that data for years now and has used it to help inform decisions about new defensive technologies, product improvements and patching strategies. The company shared some of that information Tuesday at the RSA Conference here and some of the data they have is quite revealing. One of the most intriguing bits to come out of the numbers is that while there are still large numbers of remote code execution vulnerabilities being disclosed every year, attackers are exploiting fewer and fewer of them.
“Vulnerabilities represent potential risk. But until somebody goes through the effort to develop an exploit that leverages that vulnerability, the risk isn’t actualized. The percentage of remote code execution vulnerabilities that are actually exploited is declining. The actual risk appears to be going down based on what we see,” said Matt Miller, principal security software engineer in the Microsoft Security Response Center. “The absolute number of those bugs continues to decline, as well.”
Remote code execution vulnerabilities are attacker catnip, and that’s especially true of RCE bugs in widely deployed software such as browsers and operating systems. For years, attackers had a field day with vulnerabilities in Internet Explorer and Windows, particularly buffer overflows. Rare was the Patch Tuesday that didn’t include fixes for a buffer overflow or six. But Microsoft has put a lot of resources and effort into making those bugs more difficult to exploit, and Miller said the work has paid off.
In fact, he said the company didn’t see a single stack corruption exploit in 2014.
“A couple of things have driven that. The Security Development Lifecycle has helped us eradicate these classes of bugs. And we’ve driven mitigations and improvements that have helped too,” Miller said. “In practice, this isn’t a vulnerability class that people go after anymore.”
Those changes have forced the attacker community to shift gears. Miller said attackers have started targeting use-after-free vulnerabilities more often and have moved heavily into return-oriented programming, a technique that can be used to bypass exploit mitigations in software. At the same time, the rise of easily available exploit kits such as Angler, Blackhole and others have made it much simpler for attackers to go after new vulnerabilities. And the exploits are showing up in those kits much more quickly than ever before.
David Weston, principal program manager on the Microsoft One Protection team, who spoke alongside Miller, said that as recently as the beginning of 2014 it was taking roughly 30 days for exploits for a newly patched vulnerability to show up in the common exploit kits. By the end of the year, it was within ten days of the patch. And now, not only are the kit developers adding exploits for known bugs, but they are in some cases putting in exploits for undisclosed vulnerabilities.
“By the beginning of this year, we’re seeing the primary exploit kit developers introducing zero days,” Weston said. “The trickle-down effect is changing, as we’re seeing many more of these crimeware kits source things for themselves. That’s a dramatic change.”