Security Watch

Counting Vulnerabilities

A vulnerability study based on bad math; cyberwarfare is sexy; more.

• By Russ Cooper
• 07/17/2007

The study suggests that the vast majority of vulnerabilities are being discovered "under contract"; the study even goes so far as to suggest that more than three million vulnerabilities are discovered every year by pen-testers under contract. Unfortunately, the essay does a poor job of explaining what a vulnerability is, and strongly suggests that a Web site of 30 pages, each containing the exact same problem, would count as 30 vulnerabilities. Using this sort of math, it's surprising the author didn't come up with numbers in the billions. After all, if there's a billion Windows boxes out there, all with one common vulnerability, then that's a billion vulnerabilities to be discovered right there!

I argue that there's a difference between a "vulnerability" to be discovered, and an implementation flaw that leads to a point of vulnerability. If I put a vanilla Windows XP box on the Internet with a blank administrator password, I haven't created a new vulnerability, merely implemented a vulnerable system. The same is true when people deploy systems with known vulnerabilities present, such as an outdated Apache Web server with known attack points.

In the end, the question you need to ask yourself is how many new vulnerabilities have been discovered in systems you've used since the last time you looked at the security of your system? Or, how often do you check for new vulnerability discoveries in your systems?

This all assumes that what you're interested in is strictly vulnerabilities. I firmly believe that this is a myopic view -- you need to consider risk, not just vulnerability. If there's no threat against your vulnerable system, does its vulnerability matter? The article suggests it doesn't matter, but I believe it makes a significant difference. It even goes so far as to suggest that it doesn't matter how well you secure your systems; the "professionals" will always discover vulnerabilities you haven't mitigated against. It's hogwash FUD intended to sell professional services.

Cyberwarfare Hits Home
A bewildering story at PC World about how the U.S. Department of Defense views China's currently military status: The DoD believes that China has military "units" who develop viruses for use in information warfare.

Well, duh! If you accept that knocking out communications capabilities has been a part of every army since the beginning of time, is it really "news" that viruses might be employed as part of such an effort today? I don't think so. The article also states that China is/has developed abilities to withstand such attacks. Um, are they saying that they use some ICSA Labs-certified anti-virus product? Or are they suggesting they have some way to withstand computer attacks that nobody else has thought of yet The article is meatless in this regard.

Cyberwarfare is a sexy word these days, but could simply denote attempts to disrupt the use of computers during war. That could take the many forms, from knocking out communication capabilities to attempting to implant viruses or rootkits. One would expect that all such means would be used in a conflict ... and why not?

However, if you read the 36-page report, you'll find scant references to China's Information Warfare efforts and capabilities beyond the sound bite already mentioned. Further, if you look at similar reports on other countries, it's hard to believe you wouldn't find very similar statements.

Risky Browser Extention Updates? Maybe
Wired has a piece on third-party browser extension vendors -- who also include the ability to update their extensions via the browser -- that are making updates using plain HTTP rather than HTTP over SSL. As such, it's speculated, users may not realize the update tools are connecting to spoofed sites to obtain the updates. This could allow a criminal to mimic the update server and provide criminally crafted code of their choice to the updater.

Yup, it's possible but highly unlikely. The update method here serves as an example of a problem that requires some other vulnerability to be exploited before it can happen. To become a victim to such an attack, your computer must use a criminally controlled DNS server or have your own DNS cache poisoned.

With all that said, one does have to wonder why an update site wouldn't be SSL!

One Small Flaw Looms Big for This P2P
Poor design in an earlier release of their product has led developers of DC++, a file sharing tool, to admit now that "It's difficult to impossible to restrict this." (SecurityFocus has the story here; DC++ has blog post of its own here.) The network is based on a few hubs, which offer up files and millions of clients who want to obtain those files. Earlier versions of the hub server software allowed hub owners to identify the IP address where a file could be found, redirecting clients in search of a file they don't have. Sounded like a pretty good idea at the time; however, now that feature is being abused to point millions of clients seeking a file to a totally unrelated Web server in order to DoS it.

The story is that this is being used to extort monies from site owners. DC++ boasts that there have been 35 million downloads of their software so far, meaning there's a large base of client systems to enlist in your DDoS efforts if you're a criminal.

It's unclear why they couldn't simply introduce something into the hub server software that would prevent down-level clients from being able to connect to them without upgrading. The upgrade would then introduce some client code that would prevent them from communicating with the older version hub servers. This, claims DC++, is impossible.