Security Vulnerabilities in Modern Operating Systems T-SEC-18-B
Yves Younan
Senior Research Engineer
Vulnerability Research Team (Sourcefire, now part of Cisco)
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Overview
A look at more than 25 years of past vulnerabilities
– Based on the CVE/NVD data.
– CVE started in 1999, but includes historical data going back to 1988.
– NVD hosts all CVE information in addition to some extra data about vulnerability types, etc.
– Based on Sourcefire report: http://www.sourcefire.com/25yearsofvulns
Updated (with data from 2013, 2014) and data from other sources
A look at the future
– What trends do we expect?
A look at exploitation trends based on other reports
What can we do to protect ourselves
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Vulnerabilities Past
Data from 1988-2013
– More than 59,800 vulnerabilities in this period
– Majority of vulnerabilities in the last half of this period
– Data has some issues though Depending on reporting, a single CVE issue could cover multiple similar vulnerabilities or not
Sometimes product assignment is spotty (we’ve tried to clean this up a bit for mobile) – Not correctly assigned to a product, multiple product names for the same product
Categories that are used are not very good and their assignment is not all that great – Also a change in categories significantly
We use the “published date” provided by NVD to determine when a vulnerability was published: CVE ids are generated based on when they are requested, not published, so small discrepancies between ids and dates can exist around the end of the year – For example: CVE-2013-6642 was published in 2014
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Common vulnerability scoring system
Analyst answers the following about the vulnerability:
– Impact on confidentiality, accessibility, integrity: low, partial, complete
– Access vector: local, adjacent network, remote
– Authentication required: none, single, multiple
Gives a base score of 0-10
We use the following in the stats: CVSS >=7 is considered a serious vulnerability (include critical)
CVSS = 10 is considered a critical vulnerability – Note: if insufficient information is available, NVD will consider the vulnerability to be critical
Gives us a measure of vulnerability impact, but can be a little subjective
– One score, while multiple platforms may be affected, with different impacts (e.g. due to mitigations)
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Total Vulnerabilities by Year
2 3 11 15 13 13 25 25 75 252 246
894 1020
1677
2156
1528
2451
4931
6609 6516
5636 5731
4638
4151
5281
4747
0
1000
2000
3000
4000
5000
6000
7000
1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Total Serious Vulnerabilities
2 2 8 11 12 8 14 17 45 145 133
424 452
772
1002
678
970
2037
2761
3159
2838 2714
2084
1821 1772 1638
0
500
1000
1500
2000
2500
3000
3500
1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Serious Vulnerabilities Percentage of All Vulnerabilities
100
66.67
72.73 73.33
92.31
61.54
56
68
60 57.54
54.07
47.43 44.31 46.03 46.47
44.37
39.58 41.31 41.78
48.48 50.35 47.36
44.93 43.87
33.55 34.51
0
20
40
60
80
100
120
1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Total Critical Vulnerabilities
2 1 1 4 3 2 1 7 8 24 23
161 142 149 155
119
211
284 274
475
425
373
258
387
483
437
0
100
200
300
400
500
600
1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Critical Vulnerabilities Percentage of All Vulnerabilities
100
33.33
9.09
26.67 23.08
15.38
4
28
10.67 9.52 9.35
18.01 13.92
8.88 7.19 7.79 8.61 5.76 4.15
7.29 7.54 6.51 5.56 9.32 9.15 9.21
0
20
40
60
80
100
120
1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Vulnerabilities by Type
Common Weakness Enumeration creates a number of categories for vulnerabilities
NVD uses a subset of CWE to categorize vulnerabilities:
– Authentication issues: not properly authenticating users
– Credentials management: password/credential storage/transmission issues
– Access Control: permission errors, privilege errors, etc.
– Buffer error: buffer overflows, etc.
– CSRF: cross-site request forgery
– XSS: cross site scripting
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Vulnerabilities by Type
NVD CWE subset continued:
– Cryptographic issues: errors in crypto
– Path traversal: incorrectly handling input like “..”
– Code injection: executing scripting code or similar
– Format string vulnerability: when attackers control the format specifier for a formatting function
– Configuration: errors in configuration
– Information leak: exposing sensitive information
– Input validation: lack of verifying input, overlaps with
other categories, kind of a misc. category
– Numeric errors: integer overflows, signedness errors, etc.
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Vulnerabilities by Type
NVD CWE subset continued:
– OS Command Injections: executing via command line
– Race conditions: time of check to time of use errors
– Resource management errors: memory leaks, consuming of excess resources, etc.
– SQL injection
– Link following: following symlinks / hard links
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Vulnerabilities by Type
Buffer Errors 15%
XSS 13%
Access Control 11%
Input Validation 10%
SQL Injection 10%
Not enough info 8%
Code Injection 6%
Information Leak 5%
Resource Management
5%
Path Traversal
4%
Numeric Errors
2%
Configuration 2%
Authentication 2%
Crypto 1%
Credentials 1%
CSRF 1%
Link Following
1%
Race Conditions 1%
OS Command Injection
1%
[CATEGORY NAME] [PERCENTAGE]
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Serious Vulnerabilities by Type
Buffer Errors 23%
SQL Injection 19%
Access Control 10%
Code Injection 10%
Not enough info 8%
Input Validation 8%
Resource Management
4%
Path Traversal 3%
Numeric Errors
2%
Authentication 2%
Configuration 2%
OS Command Injection
2% Format String 1%
Credentials 1%
Information Leak 1% Crypto
1%
XSS 1%
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Critical Vulnerabilities by Type
Buffer Errors 35%
Not enough info 22%
Access Control 8%
Input Validation 6%
Code Injection 4%
Resource Management
4%
OS Command Injection
3%
Numeric Errors 3%
Configuration 3%
Authentication 3%
Credentials 2%
Format String
2% Path
Traversal 2%
SQL Injection 1%
Information Leak 1%
Crypto 1%
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Vulnerability Types Over the Years
0
500
1000
1500
2000
2500
3000
3500
781
1294 874 796 827
594 724
599
939
869 1100 951
515
164 223 277 390 460 422 469
708
921 569 572
548
673
734
719 148 183 229
285 338 187
303
777
572
144 215
250 175
302 474
83 147
1047
560 734
Not enough info
Code Injection
Configuration
Input Validation
Access Control
Buffer errors
SQL Injection
XSS
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Vulnerabilities by Vendor
NVD has information on affected product for 58,561 vulnerabilities
Top 10 vendors account for 16,696 vulnerabilities, more than 28% of all vulnerabilities.
Some vendors have lots of products, which can result in a higher total vulnerabilities count
We will also look at specific products later so we can provide more extensive analysis
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Top 10 Vendors for Total Vulnerabilities
Microsoft, 3280
Apple, 2122
Oracle, 2025
IBM, 1802
Sun, 1558
Cisco, 1523
Mozilla, 1255
Linux, 1097
HP, 1037
Google, 997
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Top 10 Vendors for Serious Vulnerabilities
Microsoft, 1948
Apple, 921
Cisco, 830
Adobe, 757
Sun, 727
IBM, 662
Mozilla, 613
Oracle, 580
Google, 559 HP, 554
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Top 10 Vendors for Critical Vulnerabilities
Adobe, 300
Oracle, 287
Mozilla, 246
Sun, 235
HP, 235
IBM, 197
Microsoft, 183
Google, 113 Cisco, 97 Apple,
72
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Top 10 Vendors over the Years
0
100
200
300
400
500
600Microsoft
Apple
Oracle
IBM
Sun
Cisco
Mozilla
Linux
HP
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Top 10 Vendors, total number of distinct products
23
HP, 1291
Cisco, 889
IBM, 450
Microsoft, 361
Oracle, 232 Sun, 199
Apple, 92 Google, 32 Mozilla, 19 Linux, 7
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Top 10 vendors, unique CVEs to distinct products ratio
24
Linux, 156.7
Mozilla, 66.1
Google, 31.2
[CATEGORY NAME], [VALUE]
Microsoft, 9.1
Oracle, 8.7 Sun, 7.8 IBM, 4 Cisco, 1.7 HP, 0.8
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Vulnerabilities by Product
Our vendor comparison gave us an idea who had to deal with the most vulnerabilities
However, vendors have multiple products: having more products, will usually result in suffering from more vulnerabilities
– As was seen in the product versus CVE entry comparison
Here we look at product specific comparisons
– What products had the most vulnerabilities
Some caveats
– Some versions are considered distinct products Every Windows version is a distinct product
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Top 10 Vulnerable Products
Linux Kernel, 1090
Firefox, 1013
Chrome, 886
Mac OSX, 847 Windows XP, 717
Seamonkey, 628
Internet Explorer, 625
Mac OSX Server, 608
Thunderbird, 594 Solaris, 557
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Top 10 vulnerable products without shared code bases
27
Linux Kernel, 1090
Firefox, 1013
Chrome, 886
Mac OSX, 847
Windows XP, 717
Internet Explorer, 625
Solaris, 557
JRE, 496
Safari, 460
Linux, 396
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Top 10 vulnerable products, totaled with similar products
28
Linux+Redhat, 1895
All Windows, 1237
Mozilla Suite, 1046
Mac OS, 891
Chrome, 886
Internet Explorer, 625
Solaris, 590
JRE/JDK, 501
Safari, 460 PHP, 353
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Top 10 Seriously Vulnerable Products
Firefox, 529
Chrome, 513
Windows XP, 501
Thunderbird, 365 Seamonkey, 364
Windows Vista, 346
Windows Server 2008, 337
Windows 2000, 311
Internet Explorer, 307
Windows 2003 Server, 299
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Top 10 Seriously Vulnerable Products, totaled (similar)
30
All Windows, 755
Linux+Redhat, 567
Firefox, 539
Chrome, 513
Internet Explorer, 307
Mac OS X, 303
JDK/JRE, 289
Acrobat, 283
Solaris, 277
Flash/Air, 260
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Top 10 Critically Vulnerable Products
Firefox, 234
Thunderbird, 179
Seamonkey, 167
JRE, 152 JDK, 145
Flash Player, 134
Adobe Air, 119
Chrome, 99
Acrobat Reader, 96
Acrobat, 92
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Top 10 Critically Vulnerable Products, totalled (similar)
Mozilla suite, 238
JRE/JDK, 153
Flash/Air, 135
All Windows, 103
Linux+Redhat, 101
Chrome, 99
Acrobat, 96
Solaris, 61
Oracle Database, 54 AIX, 49
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Vulnerabilities by Windows Version
XP, 717
Server 2003, 618
Win 2000, 504 Vista, 455
Server 2008, 450
Win 7, 325
NT, 247
Win 98, 89 Win 8, 63
Win Me, 57 Server 2012, 56 Win 95, 46
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Vulnerabilities by Mobile Phone OS
iPhone, 310
Windows, 49
Android, 36
BlackBerry, 13
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Vulnerabilities by Mobile Phone OS
Android, 166
iPhone, 164
Windows, 54
BlackBerry, 28
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Microsoft Bulletins
Contain information on all Microsoft vulnerabilities and associated CVEs
Correlate the release dates of the bulletins with the release dates of the CVEs
Gives us insight into how often vulnerabilities are 0 day vulns
– If CVE is published before MS bulletin meaning that vulnerability information was available before a response from MS
No particular reason for choosing Microsoft, except that they make the information easily available and usable on their website
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
CVE Correlated with MS Bulletins
Bulletin published before CVE, 1185
Bulletin published with CVE, 818
Bulletin publised after CVE, 268
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Microsoft 0 day vulnerabilities
If the MS correlation numbers carry over to other vendors: about 1 out of every 10 vulnerabilities discovered is known by attackers before the vendor can patch
– Security products will often not provide protection against these attacks until they know about it
– Mitigations are more important in this respect Attackers could possible evade them, but exploitation cost goes up significantly
Latest Windows/Linux have plenty of mitigations available by default: Windows 8 has improved on many of them
EMET (Free MS tool) can enable protections to make it harder to exploit vulnerabilities in Windows: e.g., better ASLR, RopGuard.
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Present
Let’s take a look at the first quarter of 2014: January 1st until March 31st 2014
We will look at total vulnerabilities this year and severity
We will also look at the top 10 vendor and top 10 products for this quarter
Note: this data may not be completely up to date: while the data was retrieved on April 1st, it may not include all up to date information on a vulnerability, as this may be updated later.
– This is especially true for the “unknown” vulnerabilities
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Total vulnerabilities: 2014
20052006
20072008
20092010
20112012
20132014
0
200
400
600
800
1000
1200
1400
1600
1800
2000
Q1 total Q1 >= 7 Q1 = 10
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Vulnerability types: 2014
Not enough info 16%
XSS 16%
Buffer Errors 13%
Access Control 13%
Input Validation 10%
SQL Injection
5%
Resource Management
5%
Path Traversal
4%
Information Leak 3%
CSRF 3%
Crypto 3%
Authentication 2%
Numeric Errors 2%
Credentials 2%
Code Injection 2%
Link Following 1% Race Conditions
1%
OS Command Injection
1%
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Top 10 Products: 2014
Internet Explorer, 43
Firefox, 37
JDK, 36
JRE, 36
Chrome, 35
Owncloud, 34
Seamonkey, 32
Linux Kernel, 28
iPhone, 24
Thunderbird, 21
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Future
Plenty of static analysis tools, mitigations, etc. yet buffer overflows remain a very important vulnerability now and will probably will in the future too
Access control / privilege issues will continue to remain important in large part due to better privilege separation
Google will probably start moving up the top 10 more, it entered it for the first time this year, displacing Adobe
Fewer vulnerabilities were reported in 2013
– Serious vulnerabilities have remained stable at 1/3rd of the vulnerabilities
– Critical vulnerabilities have also remained stable at 1/10th of all vulnerabilities
– In 2014 more vulnerabilities have been reported, slight lower percentage of serious (but the same in absolute terms), but less critical ones
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Vulnerabilities are not the same thing as exploits
Some vulnerabilities end up not being practically exploitable
– Mitigations
– Too much effort required
– Very specific environmental requirements Not reliable
CVSS doesn’t really take environmental concerns into account
Microsoft study on exploits: Software Vulnerability Exploitation Trends http://www.microsoft.com/en-us/download/details.aspx?id=39680
Cisco 2014 Annual Security Report http://www.cisco.com/web/offers/lp/2014-annual-security-report/index.html
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Exploits and exploitation
From Microsoft’s study:
– Looked at a number of vulnerabilities that were classified as remote code execution (RCE): 06-12 Looked at about 800 vulnerabilities
29% were exploited, rest of vulnerabilities were not exploited
Most vulnerabilities are exploited after patch, but an increasing number of 0day vulnerabilities are being exploited
Trends shows that fewer vulnerabilities are being exploited since 2012, coincides with the adoption of Windows 7 and IE10
However, there was a lull in 2007 and 2008 too, after Vista was released (the first Windows with real mitigations) – Could mean that this is a similar lull with improved mitigations in both Windows 7 and IE10
In 2012 there were no new exploits vulnerabilities for Windows 2000 – Windows 2000 was end-of-lifed in 2010, so no need for many new vulnerabilities since then, impact could be
interesting for XP
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Exploits and exploitation
Microsoft Study also found that
– Stack-based buffer overflows were massively exploited in 2006-2009 Decline since then: probably due to mitigations
– Heap corruption remained popular entire time
– Increased exploitation of use after free vulnerabilities Most exploited vulnerability for Windows 7 and Vista
Occurs more in client-side applications (browsers)
No mitigations that address use-after-free specifically
– Study also looks at exploitation techniques Exploits increasingly make use of mitigation bypasses
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Exploits and exploitation
Cisco Report:
– For web exploits, Java vulnerabilities are the most exploited by attackers: 91% of indicators of compromise monitored by FireAMP were related to Java Far fewer related to Flash or PDF
– 1.2% of all web malware target a specific mobile device
– 99% of all that malware targets Android, 0.84% targets J2ME devices (the second most popular target)
– Most frequently occurring mobile malware was Andr/Qdplugin-A: 43.8% Frequently repackaged in legitimate apps distributed on unofficial marketplaces
– General malware types: trojans, 64%; adware 20%, worms 8% and viruses 4%
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Trends
Major software projects from important vendors still have plenty of vulnerabilities
– Some vendors spend a lot of money and effort to improve the security of their products
– They still suffer from significant vulnerabilities
– Software is more secure today than it has ever been
– Compromises continue
– As with other fields, defenders have to be lucky all the time, while attackers only need to be lucky once
– Make it as hard as possible for attackers by enabling mitigations, ensuring significant access control
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Trends
Browsers are a very important point of attack
Vulnerabilities in browsers themselves
– Major browsers are all 3 categories of top 10 of vulnerable products
– Vulnerabilities in file formats parsed by plugins Media files
PDF: in serious and critical top 10
Java: in all 3 top 10 categories
Flash: also in serious and critical top 10
– Important to run latest browsers: IE10 and Chrome have invested a lot in mitigations
Disable plugins you don’t need: Java, PDF, etc.
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Trends
Mobile phones also suffer from plenty of vulns:
Ensuring adequate protection on phones (AV, MDM, etc.) is important
Malware is important on mobile phones too, not just vulnerabilities
– Mobile Device Management can help against malware, but doesn’t really help against vulnerabilities
– Much harder for a user to determine “safe” software On PC, legitimate software is acquired from a number of
trusted sources
On app stores (mainly Android), everything looks legitimate
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Plan for compromise
Attackers breaking in is not inevitable, but a real possibility that must be considered given the number of vulnerabilities
Breaking in doesn’t mean total compromise
Client-side vulnerabilities are very important these days
Users have a higher risk of being compromised
Identify most important assets
Identify risks to those assets
Mitigate risk
Access control (firewalls on internal servers)
Internal detection (IDS/IPS for those servers)
Use SSL/other encryption internally too
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Plan for compromise
Have an incident response plan
Define what an incident is
Establish areas of responsibility for investigation and recovery
Containment
Can you contain the attacker quickly
What steps are required to recover from an incident
Recovery may be different depending on the type of incident
Determine how to restore asset quickly if compromised
Need to identify way of entry to prevent future compromises
Retrospective security can help with this
Examine extent of intrusion: e.g., must all users change passwords?
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Conclusion
Microsoft has significantly improved in the last couple of years, their browser and mobile OS are better than their competitors in terms of vulnerabilities discovered
Google’s entry into the consumer software and hardware (as opposed to running a web service) has been accompanied by a significant number of vulnerabilities
Oracle’s acquisition of Sun has brought quite a number of extra vulnerabilities under the Oracle banner, some are even still counted as Sun right now
Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public
Conclusion
Vulnerabilities are here to stay
– While serious vulnerabilities have been in decline, total vulnerabilities are not and neither are critical
– At some point many vendors thought that hunting for enough vulnerabilities would make software secure
– New features increase the attack surface or make previously non-exploitable errors exploitable
– Using several non-serious vulnerabilities in concert could result in a more serious issue
– Buffer overflows have been around for 25 years yet are still one of the top vulnerabilities
Full report (up to 2012) available via http://www.sourcefire.com/25yearsofvulns
Get rid of XP: end of life was last week, no more security updates