Study involving two-year Windows XP experiment finds no zero-day attacks

It seems to me that there are two issues to consider in his study:

1. The internet attack itself, where the attack attempts to get past the firewall
   
   
2. The exploit payload which targets a vulnerability.

Whether or not the exploit is 0-day is of no consequence if the attack is blocked by the firewall and never gets a chance to deliver the payload that would attempt exploit a vulnerability on the system.

I realize that his purpose is to investigate 0-day stuff, but the statement that attacks succeed even with the firewall enabled, is misleading and cause for undue alarm, and not clarified in the Study itself, rather, in the Comments, where under questions from MrBrian, we learn about the "Firewall Exceptions" and realize that the firewall was like a piece of swiss cheeze facing the internet, with no added protection:

regards,

-rich

 

I agree with you, Rich. There're just too many holes in the report that could properly explain their testing methodology, and whether or not they did enough or left out obvious hardening strategies that could have easily thwarted all the exploits.

 

What he believes he's shown is that there were no zero-day attacks even attempted. Users protecting themselves from a boogyman that never appears may be misdirecting their resources.

As Rich explained, just leaving the XP SP2 firewall with specific though not uncommon settings (directly connected to the internet), is far more likely to allow a home user's system to become compromised in time, even if your software is up to date.

 

Dogbiscuit, that seems to be a fair interpretation. This whole thing seems a bit disjointed...

 

Here's my understanding of things:
1. Some (perhaps many or even all) of the computers used in the study had software listening on ports open to the Internet. (Some programs or services need to have ports open to the Internet to function properly.) Your computer may be configured differently than those in the study. If the computers in the study had instead been configured to have no software listening on ports open to the Internet, I would guess that there would have been significantly fewer compromises - perhaps even none, even without a router. I'll ask Dr. Wright if he agrees. You can use websites such as ShieldsUP to test if there is software listening on ports open to the Internet.
2. Computers were configured with varying Windows patch levels and varying levels of hardening. Hardening in this context refers to settings such as those seen here (the same CIS benchmark referred to in the study). Some computers in the study had a software firewall running while others didn't.
3. Some attacks exploited vulnerabilities without a vendor patch at the time - see the quote in post #2. However, in all of these cases, use of a workaround known at the time or third party security software would have prevented the attack from succeeding. Most home users however probably wouldn't and don't apply workarounds.
4. Routers weren't used in the study. If a router were configured to open the same ports as a properly configured software firewall, then I don't understand how the use of a router would enhance your protection from network attacks beyond the use of a software firewall, with a few exceptions. Exception #1: the router blocks unwanted packets that would have otherwise exploited vulnerable packet handling code on the computer. Exception #2: the router protects you from network attacks if there are situations in which the software firewall isn't working properly or perhaps even running.

From Dr. Wright:
Does NAT make my system more secure?
NAT is secure, think again

From the first link:

On an unrelated matter, here's a quote from Dr. Wright from On altruism:

 

From Dr. Wright's blog post Known Vulnerabilities and Exploits:

 

Since you mentioned moving beyond Windows XP, you may be interested in Understanding Windows Vista Service Hardening.

 

Dr. Wright answered 14 more of my questions in the comments section at his blog post. Here are the first two:

 

To be clear, I believe that Dr. Wright's mention of Messenger refers to Microsoft's Windows Messenger - a chat program included in Windows XP - and not Messenger Service.

 

Not much of a surprise that most vulnerabilities are in other applications.

 

Some interesting info there, MrBrian, including the Services hardening in Vista. Thanks again!

 

You're welcome .

Some lessons of this study are:
1. The bad guys are still doing port scanning to try to compromise computers in sufficient quantity to get the results seen in this study.
2. Because of #1, it's probably a good idea to check what ports you have open to the Internet. You can find out how at Windows 7 Open Ports (thread applies also to prior Windows versions).
3. Keep the software found in step #2 up to date!
4. If you know that a service or program listening on a port open to the Internet is vulnerable and has no vendor patch, you should consider applying a workaround if available, or just disable the relevant functionality or close the relevant port(s).

 

Shows the important of staying up-to-date. Still pretty surprising though.