Bill Harris is a security architect specializing in vulnerability management, risk assessment, regulatory security, and organizational policies.
How we got here
In the early days of software development, security was barely a thought. Protocols like HTTP, FTP, and telnet were designed with little to no security in mind. Networking, and the broader Internet, were recently born and hadn’t developed any of the immunities that would one day be necessary for their survival – and people noticed. Among the first to notice were the thrill seekers, defacing Web pages for laughs or stealing computer games before they were released. And then more people noticed. They discovered they could overrun buffers and send malformed network packets to crash the services, making them unavailable. Thieves soon followed, because they realized there was money to be stolen in those servers. People became adept at penetrating perimeter defenses and exploiting vulnerabilities to break into email, databases, and financial systems. Tools like Metasploit were released to help the good guys find these vulnerabilities, and the bad guys noticed those tools also. It became a race to find and patch vulnerabilities before someone else found them and exploited them.
Since Microsoft quickly became the most deployed operating system in the world, it quickly became a top target. Early Microsoft systems suffered from the same lack of security that was common in most code.
In this article I’ll summarize how Microsoft has weathered the vulnerability landscape over the past ten years and where we’re all headed...
Measuring relative progress
It’s logical that Microsoft vulnerabilities will increase as the size of the Microsoft code base increases. After all, more lines of code = more opportunities for problems. But Microsoft doesn’t tell us how many lines of code they have, so we must resort to other ways to contextualize their increasing vulnerabilities. While not a perfect rationalization, Microsoft’s annual revenues give us some background in which we can see that Microsoft’s revenue has increased 50% since 2020, but vulnerabilities have remained steady, while critical vulnerabilities have declined. This suggests that Microsoft may be getting better at eliminating and avoiding vulnerabilities in its code.
Eliminating vulnerabilities in old code
It should be no surprise that old code was often insecure, as developers weren’t as aware of the threats as they are today. And a lot of that old code still exists in Microsoft products. The Print Spooler, for example, was developed 20 years ago and has deep roots within Windows. New vulnerabilities are still appearing, and Microsoft must patch those vulnerabilities in ways that don’t break functionality or create new problems. , for example, was developed 20 years ago and has deep roots within Windows. New vulnerabilities are still appearing, and Microsoft must patch those vulnerabilities in ways that don’t break functionality or create new problems.
Avoiding vulnerabilities in new code
Generally, today’s developers prioritize security more than ten years ago. They understand common problems like code injection and cross-site scripting, and they try to avoid those problems in their code. Even so, new and untested code will inevitably introduce new vulnerabilities. For example, Microsoft Azure and Dynamics 365 accounted for more than half of Microsoft’s revenue in 2022, while adding 70 new vulnerabilities.
AI and ML are not poised to solve this problem, either. Stanford researchers report that the use of AI assistants to write code is more likely to introduce vulnerabilities, because the AI engines don’t understand the nuances of secure coding. For more on the subject, check out this article from arXiv: Do Users Write More Insecure Code with AI Assistants?
Trends
As indicated in the graph above, elevation of privilege has been the number one Microsoft vulnerability for the last four years. This is a vulnerability that allows an attacker to gain more permissions, which can be parlayed into subsequent attacks and are often not detected until those subsequent attacks have occurred.
But the bad actors are pivoting from software vulnerabilities to stealing digital identities. In January 2024, Midnight Blizzard, a Russian hacking group, stole credentials to access a Microsoft test environment and then leveraged that account to access other environments to steal Microsoft source code. That attack didn’t rely on software vulnerabilities; it relied on password theft, hijacking accounts, elevation of privilege, and other exploits. and then leveraged that account to access other environments to steal Microsoft source code. That attack didn’t rely on software vulnerabilities; it relied on password theft, hijacking accounts, elevation of privilege, and other exploits.
Phishing is another method of stealing digital identities. It’s become easier to attack thousands of accounts, hoping to catch one with a weak password or to trick someone into clicking a link that prompts them for their credentials.
What can you do?
Regardless of these trends, system vulnerability management is still an integral part of any information security program. Close alignment with vulnerability announcements is an essential line of defense. Ignore it at your peril.
IT Audit Labs can help your organization reduce risk by detecting and remediating vulnerabilities before the wrong person finds them. Our red team made up of penetration testers and vulnerability analysts can assess your environment and prioritize approaches to keep you secure.
留言