I was contacted by JT Keating, VP of Marketing at CoreTrace, for a quick chat about MS08-067. (CoreTrace has a whitelisting product called Bouncer). If you have no idea what MS08-067 is, it’s a Microsoft vulnerability. And of course it isn’t just any vulnerability, but one that could be problematic. Vulnerabilities get discovered all the time and vendors regularly issue patches to fix them, but this one may turn out to be more serious than your run-of-the-mill vulnerability – I’ll explain why in a minute.

Microsoft and IT Security

Microsoft is in the uncomfortable position of being the primary target for almost all malware. You could have accused Microsoft of not taking IT security seriously enough in the late 1990s, but it would be an unfair accusation now. Microsoft invests heavily and tries very hard. There are a few things that work against it:

1. A thriving ecosystem of Black Hats has grown up around Microsoft. The simple fact is that most of the hacking skill in the world is focused on Windows. There has yet to be a successful virus on the Mac or Linux – where you measure success by infectiousness. With Windows there are, of course, many examples.
2. There was severe user kick-back against the user-controlled security that Microsoft added to Vista, which pretty much forced Microsoft to give the user an On/Off switch.

Vista could have been the beginning of the end for highly infectious malware. The simple fact is that viruses have to be infectious to spread. No self-respecting Black Hat wants to release a virus that only manages to infect a handful of machines. The goal is to infect thousands of machines or tens of thousands or hundreds of thousands. It doesn’t matter if the AV vendors eventually recognize the virus and start to block it, because there is bound to be good number of infected machines where the AV technology doesn’t run properly or someone turned it off. These machines can be used to keep the virus moving or to launch other viruses or carry out other Black Hat activity like sending out spam, denial of service attacks and so on.

A recent security report from Microsoft, released 3rd November, reports some positive signs in that respect. It states that the world wide spread of malware is trending downwards and that the reduction year-over-year amounts to about a third in terms of Windows-targeted malware. Microsoft likes to pretend that it isn’t the primary domain of security problems by making comparisons with other software vendors in terms of vulnerabilities. That isn’t comparing apples with apples and it doesn’t shed a great deal of light on the security situation. However, its survey contains some apple-to-apples information. It’s comforting to know that more vulnerabilities are being discovered in Windows XP than in Windows Vista. It’s also sobering to contemplate that, on average more than 15 new software vulnerabilities are disclosed each day.

Microsoft reports that third party software is now the “attack vector of choice”  Other data shows that XP is attacked more frequently than Vista. Apparently in XP machines, Microsoft’s own software contained 42 percent of the vulnerabilities that were attacked, while 58 percent were in third party software running on Windows. On Vista the disparity was much higher with Microsoft’s software having 6% of the vulnerabilities attacked and third-party software having 94%. All of this is confirming what my initial technical analysis suggested to me; Vista is more secure than XP.

MS08-067

What is unusual about vulnerability MS08-067 is that it was discovered in October from activity “in the wild”, which means that the vulnerability was spotted because it was already being exploited. The vulnerability hits all versions of Windows except most versions of Vista and 2008 and it is rated as critical. That means you need to patch it ASAP. The vulnerability is in Remote Procedure Call (RPC) code and, consequently, it appears that an appropriately designed worm/virus could pull the same trick that was pulled by the Blaster worm. This involves scanning the net for vulnerable machines and infecting them quickly – in a second or two – and hence spreading with dramatic speed. Thus it’s possible that a new highly infectious virus may be waiting in the wings, for its 15 minutes of fame.

It could be more worrying if such a virus doesn’t emerge, because they will be less of an incentive for companies to install the necessary patch. Incidentally, Microsoft has done well. The bug was discovered and fixed in at least four windows released (XP, 2003, 2008 and Vista), on multiple architectures, in about two weeks.

The possibility of hackers using this vulnerability to silently plant trojans and root kits has to be the biggest concern. AV technology will stop any highly infectious worm given time, but to be really secure against a threat like this, whitelisting technology is needed – it kills a threat like this stone dead.