Security Vulnerabilities in Modern Operating Systems

Security Vulnerabilities in Modern Operating Systems T-SEC-18-B

Yves Younan

Senior Research Engineer

Vulnerability Research Team (Sourcefire, now part of Cisco)

Cisco and/or its affiliates. All rights reserved. T-SEC-18-B Cisco Public

Overview

A look at more than 25 years of past vulnerabilities

– Based on the CVE/NVD data.

– CVE started in 1999, but includes historical data going back to 1988.

– NVD hosts all CVE information in addition to some extra data about vulnerability types, etc.

– Based on Sourcefire report: http://www.sourcefire.com/25yearsofvulns

Updated (with data from 2013, 2014) and data from other sources

A look at the future

– What trends do we expect?

A look at exploitation trends based on other reports

What can we do to protect ourselves

http://www.sourcefire.com/25yearsofvulns



Vulnerabilities Past

Data from 1988-2013

– More than 59,800 vulnerabilities in this period

– Majority of vulnerabilities in the last half of this period

– Data has some issues though Depending on reporting, a single CVE issue could cover multiple similar vulnerabilities or not

Sometimes product assignment is spotty (we’ve tried to clean this up a bit for mobile) – Not correctly assigned to a product, multiple product names for the same product

Categories that are used are not very good and their assignment is not all that great – Also a change in categories significantly

We use the “published date” provided by NVD to determine when a vulnerability was published: CVE ids are generated based on when they are requested, not published, so small discrepancies between ids and dates can exist around the end of the year – For example: CVE-2013-6642 was published in 2014


Common vulnerability scoring system

Analyst answers the following about the vulnerability:

– Impact on confidentiality, accessibility, integrity: low, partial, complete

– Access vector: local, adjacent network, remote

– Authentication required: none, single, multiple

Gives a base score of 0-10

We use the following in the stats: CVSS >=7 is considered a serious vulnerability (include critical)

CVSS = 10 is considered a critical vulnerability – Note: if insufficient information is available, NVD will consider the vulnerability to be critical

Gives us a measure of vulnerability impact, but can be a little subjective

– One score, while multiple platforms may be affected, with different impacts (e.g. due to mitigations)


Total Vulnerabilities by Year

2 3 11 15 13 13 25 25 75 252 246

894 1020

1677

2156

1528

2451

4931

6609 6516

5636 5731

4638

4151

5281

4747

0

1000

2000

3000

4000

5000

6000

7000

1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013


Total Serious Vulnerabilities

2 2 8 11 12 8 14 17 45 145 133

424 452

772

1002

678

970

2037

2761

3159

2838 2714

2084

1821 1772 1638

0

500

1000

1500

2000

2500

3000

3500

1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013


Serious Vulnerabilities Percentage of All Vulnerabilities

100

66.67

72.73 73.33

92.31

61.54

56

68

60 57.54

54.07

47.43 44.31 46.03 46.47

44.37

39.58 41.31 41.78

48.48 50.35 47.36

44.93 43.87

33.55 34.51

0

20

40

60

80

100

120

1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013


Total Critical Vulnerabilities

2 1 1 4 3 2 1 7 8 24 23

161 142 149 155

119

211

284 274

475

425

373

258

387

483

437

0

100

200

300

400

500

600

1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013


Critical Vulnerabilities Percentage of All Vulnerabilities

100

33.33

9.09

26.67 23.08

15.38

4

28

10.67 9.52 9.35

18.01 13.92

8.88 7.19 7.79 8.61 5.76 4.15

7.29 7.54 6.51 5.56 9.32 9.15 9.21

0

20

40

60

80

100

120

1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013


Vulnerabilities by Type

Common Weakness Enumeration creates a number of categories for vulnerabilities

NVD uses a subset of CWE to categorize vulnerabilities:

– Authentication issues: not properly authenticating users

– Credentials management: password/credential storage/transmission issues

– Access Control: permission errors, privilege errors, etc.

– Buffer error: buffer overflows, etc.

– CSRF: cross-site request forgery

– XSS: cross site scripting



NVD CWE subset continued:

– Cryptographic issues: errors in crypto

– Path traversal: incorrectly handling input like “..”

– Code injection: executing scripting code or similar

– Format string vulnerability: when attackers control the format specifier for a formatting function

– Configuration: errors in configuration

– Information leak: exposing sensitive information

– Input validation: lack of verifying input, overlaps with

other categories, kind of a misc. category

– Numeric errors: integer overflows, signedness errors, etc.



NVD CWE subset continued:

– OS Command Injections: executing via command line

– Race conditions: time of check to time of use errors

– Resource management errors: memory leaks, consuming of excess resources, etc.

– SQL injection

– Link following: following symlinks / hard links



Buffer Errors 15%

XSS 13%

Access Control 11%

Input Validation 10%

SQL Injection 10%

Not enough info 8%

Code Injection 6%

Information Leak 5%

Resource Management

5%

Path Traversal

4%

Numeric Errors

2%

Configuration 2%

Authentication 2%

Crypto 1%

Credentials 1%

CSRF 1%

Link Following

1%

Race Conditions 1%

OS Command Injection

1%

[CATEGORY NAME] [PERCENTAGE]


Serious Vulnerabilities by Type

Buffer Errors 23%

SQL Injection 19%

Access Control 10%

Code Injection 10%

Not enough info 8%

Input Validation 8%

Resource Management

4%

Path Traversal 3%

Numeric Errors

2%

Authentication 2%

Configuration 2%


2% Format String 1%

Credentials 1%

Information Leak 1% Crypto

1%

XSS 1%


Critical Vulnerabilities by Type

Buffer Errors 35%

Not enough info 22%

Access Control 8%

Input Validation 6%

Code Injection 4%

Resource Management

4%


3%

Numeric Errors 3%

Configuration 3%

Authentication 3%

Credentials 2%

Format String

2% Path

Traversal 2%

SQL Injection 1%

Information Leak 1%

Crypto 1%


Vulnerability Types Over the Years

0

500

1000

1500

2000

2500

3000

3500

781

1294 874 796 827

594 724

599

939

869 1100 951

515

164 223 277 390 460 422 469

708

921 569 572

548

673

734

719 148 183 229

285 338 187

303

777

572

144 215

250 175

302 474

83 147

1047

560 734

Not enough info

Code Injection

Configuration

Input Validation

Access Control

Buffer errors

SQL Injection

XSS


Vulnerabilities by Vendor

NVD has information on affected product for 58,561 vulnerabilities

Top 10 vendors account for 16,696 vulnerabilities, more than 28% of all vulnerabilities.

Some vendors have lots of products, which can result in a higher total vulnerabilities count

We will also look at specific products later so we can provide more extensive analysis


Top 10 Vendors for Total Vulnerabilities

Microsoft, 3280

Apple, 2122

Oracle, 2025

IBM, 1802

Sun, 1558

Cisco, 1523

Mozilla, 1255

Linux, 1097

HP, 1037

Google, 997


Top 10 Vendors for Serious Vulnerabilities

Microsoft, 1948

Apple, 921

Cisco, 830

Adobe, 757

Sun, 727

IBM, 662

Mozilla, 613

Oracle, 580

Google, 559 HP, 554


Top 10 Vendors for Critical Vulnerabilities

Adobe, 300

Oracle, 287

Mozilla, 246

Sun, 235

HP, 235

IBM, 197

Microsoft, 183

Google, 113 Cisco, 97 Apple,

72


Top 10 Vendors over the Years

0

100

200

300

400

500

600Microsoft

Apple

Oracle

IBM

Sun

Cisco

Mozilla

Linux

HP

Google


Top 10 Vendors, total number of distinct products

23

HP, 1291

Cisco, 889

IBM, 450

Microsoft, 361

Oracle, 232 Sun, 199

Apple, 92 Google, 32 Mozilla, 19 Linux, 7


Top 10 vendors, unique CVEs to distinct products ratio

24

Linux, 156.7

Mozilla, 66.1

Google, 31.2

[CATEGORY NAME], [VALUE]

Microsoft, 9.1

Oracle, 8.7 Sun, 7.8 IBM, 4 Cisco, 1.7 HP, 0.8


Vulnerabilities by Product

Our vendor comparison gave us an idea who had to deal with the most vulnerabilities

However, vendors have multiple products: having more products, will usually result in suffering from more vulnerabilities

– As was seen in the product versus CVE entry comparison

Here we look at product specific comparisons

– What products had the most vulnerabilities

Some caveats

– Some versions are considered distinct products Every Windows version is a distinct product


Top 10 Vulnerable Products

Linux Kernel, 1090

Firefox, 1013

Chrome, 886

Mac OSX, 847 Windows XP, 717

Seamonkey, 628

Internet Explorer, 625

Mac OSX Server, 608

Thunderbird, 594 Solaris, 557


Top 10 vulnerable products without shared code bases

27

Linux Kernel, 1090

Firefox, 1013

Chrome, 886

Mac OSX, 847

Windows XP, 717


Solaris, 557

JRE, 496

Safari, 460

Linux, 396


Top 10 vulnerable products, totaled with similar products

28

Linux+Redhat, 1895

All Windows, 1237

Mozilla Suite, 1046

Mac OS, 891

Chrome, 886


Solaris, 590

JRE/JDK, 501

Safari, 460 PHP, 353


Top 10 Seriously Vulnerable Products

Firefox, 529

Chrome, 513

Windows XP, 501

Thunderbird, 365 Seamonkey, 364

Windows Vista, 346

Windows Server 2008, 337

Windows 2000, 311


Windows 2003 Server, 299


Top 10 Seriously Vulnerable Products, totaled (similar)

30

All Windows, 755

Linux+Redhat, 567

Firefox, 539

Chrome, 513


Mac OS X, 303

JDK/JRE, 289

Acrobat, 283

Solaris, 277

Flash/Air, 260


Top 10 Critically Vulnerable Products

Firefox, 234

Thunderbird, 179

Seamonkey, 167

JRE, 152 JDK, 145

Flash Player, 134

Adobe Air, 119

Chrome, 99

Acrobat Reader, 96

Acrobat, 92


Top 10 Critically Vulnerable Products, totalled (similar)

Mozilla suite, 238

JRE/JDK, 153

Flash/Air, 135

All Windows, 103

Linux+Redhat, 101

Chrome, 99

Acrobat, 96

Solaris, 61

Oracle Database, 54 AIX, 49


Vulnerabilities by Windows Version

XP, 717

Server 2003, 618

Win 2000, 504 Vista, 455

Server 2008, 450

Win 7, 325

NT, 247

Win 98, 89 Win 8, 63

Win Me, 57 Server 2012, 56 Win 95, 46


Vulnerabilities by Mobile Phone OS

iPhone, 310

Windows, 49

Android, 36

BlackBerry, 13


Vulnerabilities by Mobile Phone OS

Android, 166

iPhone, 164

Windows, 54

BlackBerry, 28


Microsoft Bulletins

Contain information on all Microsoft vulnerabilities and associated CVEs

Correlate the release dates of the bulletins with the release dates of the CVEs

Gives us insight into how often vulnerabilities are 0 day vulns

– If CVE is published before MS bulletin meaning that vulnerability information was available before a response from MS

No particular reason for choosing Microsoft, except that they make the information easily available and usable on their website


CVE Correlated with MS Bulletins

Bulletin published before CVE, 1185

Bulletin published with CVE, 818

Bulletin publised after CVE, 268


Microsoft 0 day vulnerabilities

If the MS correlation numbers carry over to other vendors: about 1 out of every 10 vulnerabilities discovered is known by attackers before the vendor can patch

– Security products will often not provide protection against these attacks until they know about it

– Mitigations are more important in this respect Attackers could possible evade them, but exploitation cost goes up significantly

Latest Windows/Linux have plenty of mitigations available by default: Windows 8 has improved on many of them

EMET (Free MS tool) can enable protections to make it harder to exploit vulnerabilities in Windows: e.g., better ASLR, RopGuard.


Present

Let’s take a look at the first quarter of 2014: January 1st until March 31st 2014

We will look at total vulnerabilities this year and severity

We will also look at the top 10 vendor and top 10 products for this quarter

Note: this data may not be completely up to date: while the data was retrieved on April 1st, it may not include all up to date information on a vulnerability, as this may be updated later.

– This is especially true for the “unknown” vulnerabilities


Total vulnerabilities: 2014

20052006

20072008

20092010

20112012

20132014

0

200

400

600

800

1000

1200

1400

1600

1800

2000

Q1 total Q1 >= 7 Q1 = 10

2005

2006

2007

2008

2009

2010

2011

2012

2013

2014


Vulnerability types: 2014

Not enough info 16%

XSS 16%

Buffer Errors 13%

Access Control 13%

Input Validation 10%

SQL Injection

5%

Resource Management

5%

Path Traversal

4%

Information Leak 3%

CSRF 3%

Crypto 3%

Authentication 2%

Numeric Errors 2%

Credentials 2%

Code Injection 2%

Link Following 1% Race Conditions

1%


1%


Top 10 Products: 2014


Firefox, 37

JDK, 36

JRE, 36

Chrome, 35

Owncloud, 34

Seamonkey, 32

Linux Kernel, 28

iPhone, 24

Thunderbird, 21


Future

Plenty of static analysis tools, mitigations, etc. yet buffer overflows remain a very important vulnerability now and will probably will in the future too

Access control / privilege issues will continue to remain important in large part due to better privilege separation

Google will probably start moving up the top 10 more, it entered it for the first time this year, displacing Adobe

Fewer vulnerabilities were reported in 2013

– Serious vulnerabilities have remained stable at 1/3rd of the vulnerabilities

– Critical vulnerabilities have also remained stable at 1/10th of all vulnerabilities

– In 2014 more vulnerabilities have been reported, slight lower percentage of serious (but the same in absolute terms), but less critical ones


Vulnerabilities are not the same thing as exploits

Some vulnerabilities end up not being practically exploitable

– Mitigations

– Too much effort required

– Very specific environmental requirements Not reliable

CVSS doesn’t really take environmental concerns into account

Microsoft study on exploits: Software Vulnerability Exploitation Trends http://www.microsoft.com/en-us/download/details.aspx?id=39680

Cisco 2014 Annual Security Report http://www.cisco.com/web/offers/lp/2014-annual-security-report/index.html

http://www.microsoft.com/en-us/download/details.aspx?id=39680




http://www.cisco.com/web/offers/lp/2014-annual-security-report/index.html









Exploits and exploitation

From Microsoft’s study:

– Looked at a number of vulnerabilities that were classified as remote code execution (RCE): 06-12 Looked at about 800 vulnerabilities

29% were exploited, rest of vulnerabilities were not exploited

Most vulnerabilities are exploited after patch, but an increasing number of 0day vulnerabilities are being exploited

Trends shows that fewer vulnerabilities are being exploited since 2012, coincides with the adoption of Windows 7 and IE10

However, there was a lull in 2007 and 2008 too, after Vista was released (the first Windows with real mitigations) – Could mean that this is a similar lull with improved mitigations in both Windows 7 and IE10

In 2012 there were no new exploits vulnerabilities for Windows 2000 – Windows 2000 was end-of-lifed in 2010, so no need for many new vulnerabilities since then, impact could be

interesting for XP



Microsoft Study also found that

– Stack-based buffer overflows were massively exploited in 2006-2009 Decline since then: probably due to mitigations

– Heap corruption remained popular entire time

– Increased exploitation of use after free vulnerabilities Most exploited vulnerability for Windows 7 and Vista

Occurs more in client-side applications (browsers)

No mitigations that address use-after-free specifically

– Study also looks at exploitation techniques Exploits increasingly make use of mitigation bypasses



Cisco Report:

– For web exploits, Java vulnerabilities are the most exploited by attackers: 91% of indicators of compromise monitored by FireAMP were related to Java Far fewer related to Flash or PDF

– 1.2% of all web malware target a specific mobile device

– 99% of all that malware targets Android, 0.84% targets J2ME devices (the second most popular target)

– Most frequently occurring mobile malware was Andr/Qdplugin-A: 43.8% Frequently repackaged in legitimate apps distributed on unofficial marketplaces

– General malware types: trojans, 64%; adware 20%, worms 8% and viruses 4%


Trends

Major software projects from important vendors still have plenty of vulnerabilities

– Some vendors spend a lot of money and effort to improve the security of their products

– They still suffer from significant vulnerabilities

– Software is more secure today than it has ever been

– Compromises continue

– As with other fields, defenders have to be lucky all the time, while attackers only need to be lucky once

– Make it as hard as possible for attackers by enabling mitigations, ensuring significant access control


Trends

Browsers are a very important point of attack

Vulnerabilities in browsers themselves

– Major browsers are all 3 categories of top 10 of vulnerable products

– Vulnerabilities in file formats parsed by plugins Media files

PDF: in serious and critical top 10

Java: in all 3 top 10 categories

Flash: also in serious and critical top 10

– Important to run latest browsers: IE10 and Chrome have invested a lot in mitigations

Disable plugins you don’t need: Java, PDF, etc.


Trends

Mobile phones also suffer from plenty of vulns:

Ensuring adequate protection on phones (AV, MDM, etc.) is important

Malware is important on mobile phones too, not just vulnerabilities

– Mobile Device Management can help against malware, but doesn’t really help against vulnerabilities

– Much harder for a user to determine “safe” software On PC, legitimate software is acquired from a number of

trusted sources

On app stores (mainly Android), everything looks legitimate


Plan for compromise

Attackers breaking in is not inevitable, but a real possibility that must be considered given the number of vulnerabilities

Breaking in doesn’t mean total compromise

Client-side vulnerabilities are very important these days

Users have a higher risk of being compromised

Identify most important assets

Identify risks to those assets

Mitigate risk

Access control (firewalls on internal servers)

Internal detection (IDS/IPS for those servers)

Use SSL/other encryption internally too


Plan for compromise

Have an incident response plan

Define what an incident is

Establish areas of responsibility for investigation and recovery

Containment

Can you contain the attacker quickly

What steps are required to recover from an incident

Recovery may be different depending on the type of incident

Determine how to restore asset quickly if compromised

Need to identify way of entry to prevent future compromises

Retrospective security can help with this

Examine extent of intrusion: e.g., must all users change passwords?


Conclusion

Microsoft has significantly improved in the last couple of years, their browser and mobile OS are better than their competitors in terms of vulnerabilities discovered

Google’s entry into the consumer software and hardware (as opposed to running a web service) has been accompanied by a significant number of vulnerabilities

Oracle’s acquisition of Sun has brought quite a number of extra vulnerabilities under the Oracle banner, some are even still counted as Sun right now


Conclusion

Vulnerabilities are here to stay

– While serious vulnerabilities have been in decline, total vulnerabilities are not and neither are critical

– At some point many vendors thought that hunting for enough vulnerabilities would make software secure

– New features increase the attack surface or make previously non-exploitable errors exploitable

– Using several non-serious vulnerabilities in concert could result in a more serious issue

– Buffer overflows have been around for 25 years yet are still one of the top vulnerabilities

Full report (up to 2012) available via http://www.sourcefire.com/25yearsofvulns

Get rid of XP: end of life was last week, no more security updates



Technology

Security Vulnerabilities in Modern Operating Systems