Consistently Vulnerable Systems

Hungry Man · #1 June 9th, 2012, 12:47 PM

http://www.rationallyparanoid.com/ar...e-systems.html

Quote:

It seems to be that there are fewer and fewer months in which we do not hear about a new 0-day vulnerability that is being actively exploited in order to compromise systems. We've analyzed a list of security advisories over the past 12 months to see whether we are living in an environment in which a user who maintains a fully-patched system is still vulnerable.

Quote:

We considered that the average user has enabled the Windows firewall or is behind a device doing NAT, and so the vulnerability had to be exploitable over the internet by a user browsing a web site or opening an e-mail file attachment. For example MS10-061 (vulnerability in Print Spooler Service could allow remote code execution) originally used by Stuxnet was ignored.

Quote:

We considered the average user to be running Internet Explorer on a Windows XP system with Adobe Reader and Flash installed in their default configuration, with a firewall enabled and antivirus installed.

Quote:

Based on the figures above the average Windows desktop user would have been vulnerable to actively exploited 0-day vulnerabilities for at least 166 days, with any overlapping of vulnerability exposure being factored in. In other words for the past 12 months 45% of the time that the average Windows desktop user is browsing the internet on a fully patched Windows system running antivirus and with a firewall enabled, they are doing so in an environment in which their computers could suddenly become compromised without their knowledge by an exploited vulnerability in which no official vendor-provided security update exists. We believe this to be a conservative figure as it does not factor in:

Nebulus · #2 June 9th, 2012, 01:13 PM

Interesting information, however of a theoretical rather than practical value... I ran a totally unpatched system for 3 years (some times ago) and I never got infected because of other security measures in place (including safe browsing, which can never be really quantified in a study).

AlexC · #3 June 9th, 2012, 01:46 PM

Quote:

Originally Posted by Nebulus

I ran a totally unpatched system for 3 years (some times ago) and I never got infected because of other security measures in place (including safe browsing, which can never be really quantified in a study).

You're part of a minority... It seems to me that the study has practical value and that, more than reasonable, is in fact conservative.

Hungry Man · #4 June 9th, 2012, 01:54 PM

Quote:

Originally Posted by Nebulus

Interesting information, however of a theoretical rather than practical value... I ran a totally unpatched system for 3 years (some times ago) and I never got infected because of other security measures in place (including safe browsing, which can never be really quantified in a study).

IT's not about whether you'll be infected or not it's a matter of whether or not you're vulnerable and to what extent.

Cudni · #5 June 9th, 2012, 02:08 PM

A finger in the air weather check type estimate and then subsequent conclusion based on same.

#6 June 9th, 2012, 04:43 PM

Quote:

Originally Posted by Nebulus

Interesting information, however of a theoretical rather than practical value... I ran a totally unpatched system for 3 years (some times ago) and I never got infected because of other security measures in place (including safe browsing, which can never be really quantified in a study).

I hear people say that all the time. How do you KNOW that you weren't compromised?

Nebulus · #7 June 9th, 2012, 06:15 PM

"Based on the figures above the average Windows desktop user would have been vulnerable to actively exploited 0-day vulnerabilities for at least 166 days, with any overlapping of vulnerability exposure being factored in."

As I said, this is the kind of conclusion that has no practical use. It is interesting as a theoretical experiment, but it doesn't really matter that you are vulnerable 166 days, 180 days or 3 days. All that it matters is that there is a window of risk (longer or shorter, that is not really important) when you are vulnerable to 0-day exploits. Because of this (and the study points this out correctly) you need other security measures than just patching your OS and your application. This is exactly the case I was talking about, when I talked about the experiment of having a computer unpatched for a long time, but with other security measures in place.
Again, to make myself clear, I wasn't contesting the results or the general conclusion, I was just pointing out that there is little practical use in knowing exactly how many days you are vulnerable in a year.

noone_particular · #8 June 9th, 2012, 09:49 PM

With a few name, date and percentage changes, that looks almost exactly like articles I've been seeing for years. Windows and the apps installed on it have been consistently vulnerable for as long as it's been connected to the internet. In spite of who knows how many gigabytes of updates, scheduled patch days, all kinds of updaters and update services, and the rapid release of new versions of apps, in the end it's the same story it's always been.

#9 June 9th, 2012, 10:42 PM

IMO it's hard to see how an OS can be used on 90% of desktops and not be consistently vulnerable. Say what you will about Windows' security shortcomings, omnipresence is a huge incentive for blackhats.

Tarnak · #10 June 10th, 2012, 10:04 AM

...at least I am consistently vulnerable.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search