Today, that time is now on the order of hours! Take, for example, MS11-002 (Microsoft Data Access Components Vulnerability - [CVE: 2011-0027]) which was just released this morning (January 12, 2011) by Microsoft. It was just a matter of hours before an exploit was available for download for script kiddies and experienced pen testers to begin using (http://www.exploit-db.com/exploits/15984/).
When we consider control systems, and the fact that at best, security patches are approved by the vendor within 7-14 days, we have a pretty wide window of opportunity to exploit these critical systems. Using my "think like a hacker" approach to security, the best time to exploit a targeted control system is during the first few days following the publication of the MS Security Advisories (which are released on the second Tuesday of each month). In reality, we have even longer, as many control systems do not utilize any form of automated patch management system that deploys these updates as soon as they are approved by the vendor.
If I was planning an attack, I would complete my reconnaissance phase, and wait until the days immediately following the MS announcement to commence the actual attack using the latest vulnerabilities that will be sure to evade both the OS and the security protections that are in place.
I also thought that it would be useful to share the updated schedules from a few of the other major vendors. Of course, vendors are free to release out-of-cycle updates for vulnerabilities which they feel are too critical to wait for the normal cycle.
- Microsoft
Monthly
2nd Tuesday - Oracle
Quarterly (Jan, Apr, Jul, Oct)
Tuesday closest to 17th of the Month - Cisco (Internetwork Operating System)
Bi-Annual (Mar, Sep)
4th Wednesday - Adobe
Quarterly (Feb, May, Aug, Nov)
2nd Tuesday
- MS10-046 (Propagation)
SecurityFocus releases exploit July 15
Metasploit releases exploit July 19
Microsoft releases patch August 2 (out-of-band)
Immunity releases exploit September 27 - MS10-061 (Propagation)
Microsoft releases patch September 14
SecurityFocus releases exploit September 14
Metasploit releases exploit September 17 - MS10-073 (EoP)
SecurityFocus releases proof-of-concept July 1
Immunity releases exploit October 5
Microsoft releases patch October 12
SecurityFocus releases exploit October 12 - MS10-092 (EoP)
Immunity releases exploit October 5
SecurityFocus releases exploit October 18
Microsoft releases patch December 14
"The increase in the number of flaws being discovered comes at a time when attackers are getting much faster at exploiting them. A survey by security vendor Qualys earlier this year [2009] showed that 80% of vulnerability exploits are available within 10 days of the vulnerability's disclosure. Nearly 50% of the vulnerabilities patched by Microsoft in its security updates for April [2009] already had known exploits by the time the patches were available."
As you can see, we all need to be diligent in addressing patch management within our control system networks. Next month (February 2011), I will be asking the wider community to participate in a survey to collect some real-world data regarding patch management implementations.
If you are interested in exploring any of the Stuxnet exploits that have been published, a list is available at http://www.stuxnetcure.com.
No comments:
Post a Comment