Matt Miller, from Microsoft Security Response Center, delivered a very interesting presentation at the Bluehat conference few days ago titled “Trends, challenges, and strategic shifts in the software vulnerability mitigation landscape”.
In this presentation Matt, who is otherwise known as “skape” and is recognized for his many years of work on exploit research and his contributions to the Metasploit project, provided a very interesting overview of the progress made over the last decade on tackling software vulnerabilities. I very much recommending reading the slides and I hope a video recording will be made available soon.
There are several takeaways from this presentation, and those I found most relevant are:
1) While the amount of known software vulnerabilities reported every year follows an increasing trajectory, the percentage of those that are actually exploited in the wild is decreasing.
This highlights an interesting discrepancy which is hard to recognize for those who do not have access to telemetry such as Microsoft’s: while software vulnerabilities appear to be piling up like never before, attackers are leveraging fewer. This is an interesting trend and while I can imagine a variety of factors that might be influencing this shift, I would be interested in hearing more.
2) Increasingly more often, software vulnerabilities are found to be exploited for the first time as 0days, rather than after a patch is released.
Publicly available exploits are becoming less effective, possibly because of more dedicated update mechanisms employed by recent versions of Windows, and less reliable, thanks to the various mitigation techniques introduced in the last years. Leveraging a patched vulnerability now is most likely to be unsuccessful.
However, we need to wary of generalizations. Especially in countries with economic difficulties and even more so in countries subjected to embargoes, the availability of most recent hardware and software might be limited, particularly at the cost of individuals at risk.
3) Exploit mitigations have had a significant impact, and we might see a day not too far away where software vulnerabilities are not as much of a concern anymore.
Essentially, things are getting better. With the exception of WannaCry, mass-spreading threats have nearly disappeared and so has the pandemic exploitation of browsers and plugins and of productivity suites.
I’ve been making similar observations in my monitoring of state-sponsored campaigns. While some years ago the largest majority of attacks were almost expected to make use of an Adobe Reader or Office exploit (ah, the good old CVE-2012-0158 days!) now any exploit at all is a rare sight for me.
Over the last couple of years I have been doing the exercise of looking back at all disclosed campaigns of targeted attacks against civil society from the previous year and try to derive some patterns and trends. With the exception of some high profile cases, such as those of NSO Group, the cases in which any exploit at all (0day or not) was used are near zero.
Instead, way more predominant is the abuse of certain Windows and Office features that are primarily intended for enterprises but are also a perfect attack surface for end users (such as Macros, OLE, DDE, PowerShell, etc.) and reflect a lack of care for the needs of individuals at risk. In addition, more recently credentials phishing seems to be making a strong return.
As a matter of fact, I believe we are currently witnessing a bigger investment in improving credential phishing frameworks and tactics than in developing spyware. The spyware we observe is generally rudimentary and, while I have no solid data to back this up, I believe spyware’s return of investment is getting comparatively lower than that of phishing. The infection rate is quite likely significantly decreasing and at no discount of operational costs. Phishing instead largely remains an unsolved problem and it is quantitatively the most common threat we observe these days. Although I very wildly estimate a success rate generally below 10%, it’s an attack that is cheap to develop and operate and is reusable almost indefinitely.
Getting back to software vulnerabilities and exploits, Matt writes in his presentation that Microsoft’s strategy against them is turning from “increasing cost & difficulty” to “getting to done”. It’s comforting to think we might eventually be “done” with exploits, but if we learned anything out of decades of cybersecurity is that the death of the exploit might just be the birth of something new.