Security Updates - Are they the answer?

Ah, another “update Tuesday” – known to the rest of the world as “patch Tuesday” but we are not supposed to call it that.

We have a fine crop of updates for you but I am not going to talk about those, partially because we won’t be releasing them for several hours and partially because that is the province of my much respected colleagues in the MSRC – you can always get the straight dope here: http://blogs.technet.com/msrc/

This month so far has been a fairly quiet time for me. We are seeing fewer new infections recently though the ratios of where this stuff comes from are pretty consistent. You might find the threat map at www.threatexpert.com to be an interesting read.

The Storm botnet is recruiting again, this time with Valentine cards instead of Christmas cards or promises of applications to help you track football scores. A lot of people are now aware of the techniques used by this bot and infection rates seem to be dropping a little though it is a little hard to tell. Storm uses a peer to peer protocol for its command and control mechanism and so there is no one place to monitor the network. The packets look very much like eDonkey file share activity unless you know to look for the 40 byte encrypted packet at the start.

On the subject of Storm, this is a malware that, in its most recent versions, has been very much based on social engineering. It is apparently remarkably easy to persuade people to install malware on their computers. No really, I am not making this up. Independent research shows that around 75% of malware on systems got there because a user installed it while under the impression that it was a good idea. Some of it is installed because a popup tells them that they need a video codec so they download an EXE file. Some of them respond to a popup saying that there is evidence of malware or visiting adult sites on their computer. They download the program to “fix” this problem and then the problems start. Now, you, gentle reader, I know that you would never fall for such blatant social engineering but consider your cousin, the person at the supermarket checkout, yourself when you were a kid still learning what you know now… well, they will. Not every unskilled user will fall for these tricks but enough will that it is a fertile recruiting ground. 75% of malware gets on systems this way. Who needs security vulnerabilities to spread malware?

Is it heresy to say that on a patch Tuesday? Of course, vulnerabilities matter. Wormable vulnerabilities matter a lot. A corporate network can be taken down in less than an hour by an aggressive worm if there are no mitigations in place. Targeted attacks pretty much always use some vulnerability in software. Vulnerabilities matter a lot. Updates are critical. What they are not is all of the story. Many people seem to think that they are.

One of the most common questions that I get asked when people learn what I do for a living is “Why don’t Microsoft make Windows more secure?” The answer is “We did. Look at Vista and Server 2008. We are. Look at the bulletin release schedule. Look at the malicious software removal tool.” I don’t generally say the next bit. We work very hard to improve security but we don’t have much control over the things that get exploited most often: People.

Ah, but wait a minute, I hear you say. If vulnerabilities are not the be all and end all, why are there so few malwares on (insert name of alternate OS here). The answer to this is simple and I am far from the first to say it. Why do criminals rob banks? Well, that is where the money is. Malware used to be written for bragging rights. Now it is written for money. Either way, the malware writer wants as many systems as possible affected. 19 out of 20 desktop systems run some flavor of Windows. If I want to affect as many systems as possible, which do I attack? It is a no-brainer. You develop exploits for the biggest payoff.

Does this depend on which system has the most vulnerabilities? No, not at all. If Linux had 5 times as many vulnerabilities as Windows (which I don’t think for a moment that it has) and you had a 100% success rate at compromise Linux desktops then you would have… 5% of the market. If you had a 10% success rate at compromising Windows systems then you have 9.5% of the market.  It doesn’t make sense to go for Linux as a platform for malware.

All that said, vulnerabilities in the OS are less of a factor all the time. A lot of exploits target applications these days. The antivirus product, the reader for one of the common formats like Flash or PDF or Java or whatever it is this month are at least as good a target. The people are at least as good a target. In fact, looking at the numbers, the people are 3 times better targets. We can’t make better people – and we don’t want to limit what people can do because people resent that. Look at the reputation that user access control in Vista has.

It is a tricky problem. We can make better operating systems. We can not make better people.

(Edited - The original said that we could make better people - so not what I meant)

Signing off

Mark