Wednesday, January 12, 2011

UPDATED: Nearly Instant Exploit when MS Releases Patch

I teach my SCADA security students that we always are faced with a double-edged sword when dealing with the patching of security holes within a common platform. In the days of the SQL Slammer worm (2003), an exploit could take up to six (6) months to develop using reverse engineering techniques once Microsoft released their security hotfixes.

Today, that time is now on the order of hours! Take, for example, MS11-002 (Microsoft Data Access Components Vulnerability - [CVE: 2011-0027]) which was just released this morning (January 12, 2011) by Microsoft. It was just a matter of hours before an exploit was available for download for script kiddies and experienced pen testers to begin using (http://www.exploit-db.com/exploits/15984/).

When we consider control systems, and the fact that at best, security patches are approved by the vendor within 7-14 days, we have a pretty wide window of opportunity to exploit these critical systems. Using my "think like a hacker" approach to security, the best time to exploit a targeted control system is during the first few days following the publication of the MS Security Advisories (which are released on the second Tuesday of each month). In reality, we have even longer, as many control systems do not utilize any form of automated patch management system that deploys these updates as soon as they are approved by the vendor.

If I was planning an attack, I would complete my reconnaissance phase, and wait until the days immediately following the MS announcement to commence the actual attack using the latest vulnerabilities that will be sure to evade both the OS and the security protections that are in place.

I also thought that it would be useful to share the updated schedules from a few of the other major vendors. Of course, vendors are free to release out-of-cycle updates for vulnerabilities which they feel are too critical to wait for the normal cycle.
  • Microsoft
    Monthly
    2nd Tuesday

  • Oracle
    Quarterly (Jan, Apr, Jul, Oct)
    Tuesday closest to 17th of the Month

  • Cisco (Internetwork Operating System)
    Bi-Annual (Mar, Sep)
    4th Wednesday

  • Adobe
    Quarterly (Feb, May, Aug, Nov)
    2nd Tuesday
I compiled some data for Stuxnet that is interesting and worth sharing, comparing the date of discovery (let's just say July 16 for all practical purposes), and the date of patch and exploit being released:
  • MS10-046 (Propagation)
    SecurityFocus releases exploit July 15
    Metasploit releases exploit July 19
    Microsoft releases patch August 2 (out-of-band)
    Immunity releases exploit September 27

  • MS10-061 (Propagation)
    Microsoft releases patch September 14
    SecurityFocus releases exploit September 14
    Metasploit releases exploit September 17

  • MS10-073 (EoP)
    SecurityFocus releases proof-of-concept July 1
    Immunity releases exploit October 5
    Microsoft releases patch October 12
    SecurityFocus releases exploit October 12

  • MS10-092 (EoP)
    Immunity releases exploit October 5
    SecurityFocus releases exploit October 18
    Microsoft releases patch December 14
I found an interesting statistic from a 2009 article in ComputerWorld:

"The increase in the number of flaws being discovered comes at a time when attackers are getting much faster at exploiting them. A survey by security vendor Qualys earlier this year [2009] showed that 80% of vulnerability exploits are available within 10 days of the vulnerability's disclosure. Nearly 50% of the vulnerabilities patched by Microsoft in its security updates for April [2009] already had known exploits by the time the patches were available."

As you can see, we all need to be diligent in addressing patch management within our control system networks. Next month (February 2011), I will be asking the wider community to participate in a survey to collect some real-world data regarding patch management implementations.

If you are interested in exploring any of the Stuxnet exploits that have been published, a list is available at http://www.stuxnetcure.com.

No comments:

Post a Comment