Jeff Jones Security Blog

This paper is a compilation of vulnerability data for client operating systems for the first 3 month, January through March, of 2008. Vulnerabilities and fixes for the following products are discussed:

• Microsoft Windows Vista
• Microsoft Windows XP SP2
• Red Hat Enterprise Linux Desktop (v. 5 client)
• Red Hat Enterprise Linux WS (V. 4)
• Ubuntu 6.06 LTS Desktop
• Apple Mac OS X 10.5 (Leopard)
• Apple Mac OS X 10.4 (Tiger)

For January through March of 2008, Mac OS X users experienced the highest number of vulnerabilities as well as the highest number of High severity vulnerabilities while Windows Vista users experienced the fewest and the fewest High severity vulnerabilities.

Here is the chart breaking down all of the OSes by NVD severity ratings:

Download the attached paper for full details.

Share this post :

In the wake of my Windows Vista One Year Vulnerability Report, I have received many questions regarding the current vulnerability record of Windows Vista as compares with Windows XP SP2.

This short paper is a compilation of vulnerability data for Microsoft Windows Vista and Microsoft Windows XP SP2 for calendar year 2007 and a brief analysis to see if any benefit is apparent for users of one OS over the other.

I found that Windows Vista offers benefit over Windows XP SP2 in the following ways for 2007:

• Windows Vista had 30% fewer Security Bulletins than Windows XP
• Windows Vista had 20% fewer vulnerabilities than Windows XP
• Windows Vista had 28% fewer Critical and Important vulnerabilities than Windows XP
• 26 vulnerabilities on Windows Vista are less severe for any users running as standard user.

Here is the chart breaking down the vulnerabilities by Microsoft severity ratings

Download the short paper attached to this post for full details.

Share this post :

I was excited when Dr. Crispin Cowan joined the company a while back - what security person wouldn't be!  As one of the key drivers behind StackGuard, Linux Security Modules and co-founder of Immunix, which produced AppArmor - few people are as qualified as Dr. Cowan to talk about security features and security boundaries.

So, when he asks "Is UAC a convenience feature, or a security feature?", I would say it is worth reading at least twice.  And if my recommendation is not good enough for you, let me share this quote that might entice you to go read the whole thing:

It is correct to say that UAC’s features are convenience features, in that it is much more convenient to respond to a UAC prompt than it is to have to switch to a separate desktop, log in as an administrator to do the administrative tasks, log out and then return to your standard user session. Whether one views a UAC prompt as a convenience or a nuisance depends on whether you compare it against running as a Standard User, or against running as a full Administrator: vs. running as Standard User UAC is a convenience feature that compromises security, but vs. running as an Administrator as was the default in XP UAC is a security enhancement.

But does that mean that UAC is not a security feature? No. UAC, in all of its forms, including Silent Mode, provides some obstacles to attacks, and so so it is always a security feature. UAC in operation does nothing other than to say “no” to some access requests, and so it cannot be anything but a security feature.

Of course, it is always nice when someone shares your own opinion.  As I've said in the past, security features do not have to be perfect in order to provide security value.  UAC definitely falls into that category.  And, as is my wont, I'm now going to go off and see if I can find some (imperfect, most likely) way to measure that value...

Regards ~ Jeff

Late Friday night, I was one of the millions of weekend viewers that help make Iron Man the second-best premiere ever.  I am surprised by those results, but only because Iron Man isn't so well-known as other Comic Book heroes like Superman or Batman.

Yes, I liked it and was pretty sure I would even before I wnt.  However, Robert Downey Jr. really did an excellent job as Tony Stark and the movie was faithful to the Origin Story, though it was updated to modern times.  I love to see the casting of good actors to make these characters into movies.

I had heard that there was an extra clip after the credits (which were super long, btw), so I stayed around until they were over and then snapped the picture to the left of the final scene and thought I'd share it with you.

And the cameo dialog seems to mean there will be a follow-up movie of some sort from Marvel, though maybe not Iron Man 2:"... I'm here to talk to you about the Avengers Initiative."

Yesterday, Microsoft published the new Security Intelligence Report for the 2nd half of 2007. (home page is http://www.microsoft.com/sir, and the download page is here).

As one of the contributors for the report, I'd like to highlight the findings summary for the Industry vuln trends:

• Vulnerability disclosures decreased by about 5 percent in 2007, reversing a multiyear trend of increasing disclosures. Almost all of this decrease was observed in the second half of the year, which had the fewest disclosures since 2H05.
  
• Despite the decrease, the number of new disclosures across the industry remains in the thousands, with the number of disclosures in 2007 surpassing that of every other year in the study except 2006.
  
• The Common Vulnerability Scoring System (CVSS) used to score vulnerabilities in the NVD was revised in 2007 to increase its accuracy, consistency, and applicability. Retroactively applying the new formula to vulnerabilities disclosed in previous years classifies a much higher percentage of vulnerabilities as High-severity than was previously
  the case. The vulnerabilities disclosed in 2007 continue this trend, with High-severity vulnerabilities accounting for about half of the total number of vulnerabilities.
  
• Vulnerabilities requiring a Low-level of complexity in order to exploit accounted for
  about half of all vulnerabilities disclosed in 2H07. Although this number is relatively
  large, the number has declined significantly from earlier periods.

Here is the high level trend chart from the report:

Regards ~ Jeff

Yesterday was a busy day, so I get a bit behind with my updates on RSA, but I wanted to post about the Microsoft keynote, in addition to the others I attended.

Format was fireside chat, with Craig Mundie, Microsoft's Chief Research and Strategy Officer sitting and talking with Chris Leach, Chief Information Security Officer at Affiliated Computer Services.  [fwiw, I personally don't love the fireside chat format.  Give me videos, fancying graphics and lots of acrobats on the stage ...]

I knew generally what Craig was going to talk about, but I was very interested to hear Craig's perspective and see how he thought about and talked about the end-to-end Trust topic.  In my opinion, this is one of the key topics that could help guide where Microsoft security efforts will go over the next 5 years, building on the past 5 years, and I am happy to see that leadership (Craig, Scott Charney) are approaching it as a dialog with industry and a recognition that it needs interoperability and industry support.

Two key topics stuck with me at the end of the keynote:

1. How security and privacy are very independent, supporting each other, while also having a tension between them.
2. Any technological efforts supporting End-to-end Trust will need to be very inclusive in order to work in heterogeneous environments.  Past infrastructure efforts (e.g. PKI) have demonstrated that the level of work and investment required means that it is more likely to hit roadblocks if existing business processes are excluded.

After the keynote, with the excellent assistance of Eric Green, I was able to pin down several Microsoft partners and get their thoughts on these two areas.  Listen to the attached mp3 to hear our discussions with these good folks:

Sandy Porter Director, Strategy Avoco Secure
Jeremiah Beckett President SecureVantage Technologies
Patrick McGregor, Ph.D. CEO BitArmor
Jon Callas CTO & CSO PGP Corporation
Conrad G. Bayer Senior Vice President IDA Strategy Avaleris	http://www.avaleris.com
Edward J. Gaudet Senior Vice President, Corporate Development and Marketing Liquid Machines

 

I did get a couple of these folks on video as well, so once I get that edited and uploaded, I'll update with links to those.

Additional information that is available on End to End Trust:

• Read Scott Charney’s Full Article about End to End Trust
• Read Microsoft's End to End Trust White Paper
• Join the dialogue. Go to Microsoft's End to End Trust forum, and let your voice be heard.

Best regards from RSA ~ Jeff

In the past, I haven't always stayed to hear the Crypto panel, but based upon the excellent one this year, I'll definitely include it in my plans going forward.  If you want to hear an overview of what they all said, I can recommend Robert Vamosi's story Cryptographers speak of threats, voting, and Blu-Ray rumors.

I want to highlight the points that Martin Hellman raised with respect to 99.9% probability as a martin of safety, complacency and low probability events.

He had one slide - a picture of a glider soaring very low over a runway at the bottom of a high speed, low pass flight.  Hellman is a pilot and pointed out that this activity is safe for those that do it 999 out of 1000 times, but went on to talk about how cautious pilots are when they first attempt it, but after 50 or  100 times of doing it successfully, they simply aren't as cautious or nervous and as a consequence don't necessarily address every risk as seriously as they did early one.

He also talked about The Black Swan: The Impact of the Highly Improbable and gave several excellent examples of how people underestimate the impact of low-probability, high-impact (even catastrophic) events.

The parallel to the issues of Internet Security are pretty clear.

Targeted attacks are increasingly part of the landscape, but it is much harder to convey their seriousness to the average person than some of the high-profiles worms and viruses of the past that got on everyone's radar.  And yet, we heard from Symantec's Stephen Trilling this week how credit card numbers go for as low as $0.40 in the malware underground economy.

Martin's call-for-action was for we security industry practitioners to try be the group of voices that convince the non-security folks to take security more seriously.  I'm happy to join his efforts in that an extol you to do the same.

Regards ~ Jeff

Following RSA President Art Coviello on the keynotes this morning was John Thompson, CEO of Symantec.  The topic of the keynote was "Information Centric Security: The Next Wave."

On one hand, this was one of the more interesting sessions of the morning, because John brought up his Research Labs VP, Steve Trilling, who shared lots of interesting security factoids from their research:

• 70% of malware during the latter half of 2007 stole PII
• Symantec believes we may have reached an inflection point where more malicious code is created daily than non-malicious code
• The bad guys have all the elements of a full scale economy, including specialized job roles and a supply and demand market dynamic

In the underground economy:

• Stolen e-Bay accounts sell for $8
• Bank can accounts sell for $1000
• Credit card number can go for as little as $0.40
• World-of-Warcraft level 70 accounts go for $4 and up

This last point was interesting - a WoW account can be worth 100x that of a valid credit card number.  As was said in the keynote "even in virtual worlds, there is real money for hackers."

On the other hand, there wasn't a lot of new information discussed concerning the title - information centric security.  Mr. Thompson did say that we should start taking a more information-centric approach to security, or as he paraphrased it, "take a risk-based approach to protecting data."  But is that really a new approach?

Most of the security professionals (not security technologists or security product folks, necessarily) have advocated a risk-based approach to protecting data for as long as I can remember.  It is still a good idea, don't get me wrong, but I don't see it as the "next wave".

One other call to action which John Thompson made was the call for a national approach to security and privacy disclosure laws.  He pointed out that, in addition the well-known California law, 40 other state-level bills are currently being considered.  In my opinion, should they pass, it would make it really tough for companies to remain compliant.  I echo his support of the need for a more national solution.

Regards ~ Jeff

X-posted to: http://blogs.technet.com/security and http://www.microsoft.com/security/rsa2008/default.mspx

Though the tutorial sessions kicked off Sunday and ran through today, the RSA Conference Welcome reception kicked things off officially on the show floor at this evening.  I arrived late this afternoon, checked into my hotel and made my way over to the convention center to check in and get my badge around 4:00pm. 

I also went by the speaker lounge to check in and meet up with my co-speaker for my Wednesday session and we were able to make some good progress on slides (yes, they were due weeks ago, but we'll be tweaking them up to the last minute, not doubt).  We also requested permission to film our session with my camera - this is apparently something that is possible, but you have to ask ahead of time - luckily, we got good guidance on this from the good Mandy Schu, our speaker manager.

At 6:00PM, we went down to the reception and, I must say, my first impression for this year was very good.  The show seems bigger and better than ever.  I saw lots of familiar brands and we meandered over by the Microsoft booth, where I ran into Kai Axford, Austin Wilson and a bunch of other Microsoft folks.  After a bit of smalltalk, I set out to accomplish my goals for the evening:

• enjoy the free food and drinks
• work on identifying the common "theme" for RSA this year

Shortly later, as I'm walking by a booth, my ear caught a familiar tune - " naaa   na na    na na... story of my life, story of my life..."  I look over, and yes, there are two security geeks rocking out on Guitar Hero.  Hmm, interesting idea, it definitely seemed to be drawing a crowd.  I wonder why nobody else thought of that.  Five minutes later, after passing 3 Guitar Hero sets, I realized that a lot of people had thought of it.  Play, get high score and win a game system!

So, there it is, the theme of RSA 2008:  Guitar Hero III.

Okay, so that may not be the security theme for the show, but it certainly seemed to be a hit with the attendees, judging by the many people stopping to show off their mad (or not so mad) Guitar Skillz.

I'll be checking back in with you midday tomorrow to give my feedback of how the morning keynote sessions go, but if I get some free time, you may see me on the show floor working my way through "Slow Ride" or "Barracuda."

With less than a week until RSA Conference 2008, I want to provide a short preview of planned RSA activities.  As we have been in the past several years, Microsoft will be very active at the security conference with a Keynote by Chief Research and Strategy Office Craig Mundie and 12 track sessions involving Microsoft people.

I will be attending RSA and am planning to be very active in providing updates and information from the show itself, publishing to this site as well as my own blog at http://blogs.technet.com/security.  While of course, you should be subscribing to my blog, you might consider coming back to this Microsoft RSA 2008 information page (http://www.microsoft.com/security/rsa2008) for the duration of the conference, as it will be featuring not just my content, but the RSA-related content from other Microsoft security people and partners.

Here are some of the types of content that I have planned for RSA:

• Commentary on (some of) the keynotes.  I plan to attend the keynotes and share my thoughts on whether anything new and interesting was said or if it was old hat.
• Walking around video Q&A.  Each year, there are a few "themes" that seem prevalent at RSA (remember the "year(s) of PKI"...)  This year, I plan to talk to people at the conference and see what their impressions are and share them with you, firsthand.
• Spotlight on new security technology and companies.  RSA is sometimes the "first look" party for emerging security technologies.  I'll see if I can track down some of the contenders and get a demo of them so we can share and discuss.
• Your content.  Yes, if you blog or want to write something that relates to Microsoft and the RSA conference (or security), you can use this form to contact me to discuss linking to it from our RSA central page. 

In addition to the above content, you will be able to quickly find more detail about any key security-related announcements that Microsoft may make during RSA.

I don't want to list out every single Microsoft session and tell you to go to it, but I will highlight two Microsoft sessions that I will be attending on Tuesday and encourage you to check these out.

Enabling End-to-End Trust Keynote Tues, Apr 08, 9:45AM	Craig Mundie, Chief Research and Strategy Officer, Microsoft	Craig Mundie is the visionary Executive that led Microsoft into adopting the Trustworthy Computing initiative.  Join him to hear Craig's thoughts on the current set of security challenges facing Microsoft and the industry.
Spyware in 2008 EXP-107 Tuesday, Apr 08, 4:10PM Panel Industry Experts	Jeff Williams, Principal Group Manager, Microsoft Malware Protection Center	Jeff and four other Industry Experts will discuss Spyware in 2008, victims, the industry and how it is evolving. FYI, Jeff is a colleague and co-contributor on the Microsoft Security Intelligence Report, so go ask him some hard questions and tell him I sent you.

Check back later this week and I'll go through all of the Tuesday afternoon timeslots and share which sessions I will be attending, plus I'll identify some alternates that I think might be interesting.

I hope to see you there.  Best regards,

Jeff Jones

PS.  If you are going to be at RSA and would like to say hi and potentially share some conversation or a frothy beverage, please drop me a message ahead of time.  Again, you can use this form.

Okay, having said that, given how obnoxious and misleading I find those Mac OS X ads and how they've spent millions of dollars publicly criticizing Windows Vista security improvements, I find it ironic and apropos that Mac OS X was the first machine to be owned in the PWN 2 OWN contest at CanSecWest today.

Read about it in LinuxWorld at: Gone in 2 minutes: Mac gets hacked first in contest.

Summary:  Charlie Miller appears to have set up a web site containing malicious code and used a "browse to own" vulnerability to win the contest.

UPDATE: A colleague sent me a link to the source paper that the article discusses: http://www.techzoom.net/papers/blackhat_0day_patch_2008.pdf. 

As anyone who reads my blog knows, I like to shine a light on areas of common security misperceptions.  I am even happier when others do it. 

I think Apple has really taken a playbook from Oracle (ie, "Unbreakable marketing") with respect to security in the past year with unsupported security claims in their marketing, drawing the attention of security researchers. 

At Black Hat today, researchers from the Swiss Federal Institute of Technology looked at Apple and Microsoft vendor responsiveness to zero-day vulnerabilities and found ... surprise, Apple consistently has more unpatched issues.

Read about the findings in ComputerWorld at Microsoft vs. Apple: Who patches zero-days faster?

If you don't want to do that, here is a key quote from the article:

What they found is that, contrary to popular belief that Apple makes more secure products, Apple lags behind in patching.

"Apple was below 20 [unpatched vulnerabilities at disclosure] consistently before 2005," Frei said. "Since then, they are very often above. So if you have Apple and compare it to Microsoft, the number of unpatched vulnerabilities are higher at Apple."

We really are trying to keep this mainly an Security Blogger networking event, so send me your name, contact information and a pointer to your blog, so I can come and check it out.  If it turns out you only have one post before you sent me your mail ... that qualifies in my book! 

If you want extra points, of course, make sure you add me to your blogroll ;-)

While the event itself is limited to security bloggers and podcasters, their readers and listeners can tune in from 6-8 p.m. PT on Wednesday, April 9, 2008, for a live experience. Subscribe to the RSS feed for updates on our central Security Blogger Meetup blog on the RSA Conference site, details about the live podcasting, video streaming and Twitter feeding before, during and after the conference.

I hope to see you there!

Jeff

UPDATE:  The story that originally got my attention has been updated in all of the places I could still find it yesterday, so I'm pulling my references to the story and just focusing on the positive story of SQL Security improvement.  Jeff

Last week a web-based news story comes to my attention which asserted that last year SQL Server had "...most vulnerabilities last year of any commercial database..."  That prompted me to do some fact checking and I thought it worth documenting the real (really good) story of SQL vulnerabilities and what commercial database had the most vulnerabilities last year.

• Microsoft Security Bulletin search tool shows 0 bulletins for SQL Server 2005 over the life of the product, which shipped about 2.5 years ago.
  • Secunia Page for SQL Server 2005 affirms this, showing 0 advisories over the life of the product
• Microsoft Security Bulletin search tool shows that SQL Server 2000 has not had a Security Bulletin for over 4 years (January 2004)
  • Secunia Page for SQL Server 2000 affirms this, showing the most recent Secunia advisory in January 2004
• I did a scan of the National Vulnerability Database (NVD) http://nvd.nist.gov for "Microsoft" and "SQL" and found only three issues disclosed since July 2003 (only 3 in the 4.5 years).  It turns out only one of them may be attributed to SQL and even then, it is a client side control:
  • CVE-2004-1560.  This one was disclosed in Sep-04 and only affected SQL Server 7
  • CVE-2007-5090.  This one was disclosed in Sep-07 and is actually a vulnerability in IBM Rational ClearQuest
  • CVE-2007-4814.  Disclosed in Sep-07, this is a vuln in client side control sqldmo.dll 2000.085.2004.00.  I can't tell for sure, but this looks like a SQL 2000 component based upon the versioning.
• Finally, I thought I'd check the Symantec-owned www.securityfocus.com web site and searched on their vulnerability search page.
  • A search on "SQL Server", the latest it identified the Sep-04 vulnerability that affected SQL 7
  • A search on "SQL Server 2005" identifies the client side CVE-2007-4814 as the latest issue plus 2 issues in 2006 that affect Xml Core Services
  • A search on "SQL Server 2000" identifies a 2002 issue as the latest since the page was modified in 2007.  Before that, the Xml Core Services issues of 2006

In contrast, I can briefly look at Oracle Critical Patch Updates (CPU) for 2007:

Critical Patch Update - January 2007	17 db vulns, 13 for 10g
Critical Patch Update - April 2007	16 db vulns, 13 for 10g
Critical Patch Update - July 2007	18 db vulns, 16 for 10g
Critical Patch Update - October 2007	30 db vulns, 16 for 10g

So.  One thing is clear from the rudimentary investigation I've performed here - SQL Server was not even close to having the most vulnerabilities last year of any commercial database.

In fact, though SQL 2000 Server may have had a rough track record up through 2003, the SQL team has certainly turned a corner since then and SQL Server 2005 has had one of the best security track records of any commercial database ever.

Let me close be re-quoting something I highlighted in a post a little over a year ago from David Litchfield in his paper Which database is more secure? Oracle vs. Microsoft:

Why have there been so little bugs found in SQL Server since 2002?
Three words: Security Development Lifecycle – SDL. SDL is far and above the most
important factor. A key benefit of employing SDL means that knowledge learnt after finding and fixing screw ups is not lost; instead it is ploughed back into to the cycle. This means rather than remaking the same mistakes elsewhere you can guarantee that new code, whilst not necessarily completely secure, is at least more secure than the old code.

I’m not claiming SQL Server is utterly vulnerability free, and I most certainly would never claim SQL Server is unbreakable, but the SQL Server team has made huge progress securing their customers.

Share this post :

Today is Launch Day for 3 big products from Microsoft - Windows Server 2008, Visual Studio 2008 and SQL Server 2008.  Click on the image to learn more general information and participate in the virtual launch. 

I want to briefly salute some of the security improvement represented by these products.  This is not a comprehensive list, and I will certainly dig into some of these in more detail later, but it should give you a good idea:

• Windows Server 2008
  • Building on the solid WS2003 security record, which was a huge step forward from Windows 2000.  As a tribute to 2003, please check out http://www.loneserver.com, a fun site about the last WS2003 in use in the MSCOM server network.
  • Architectural and defense-in-depth protections similar to those lauded in Windows Vista, such as ASLR, Services hardening, and general benefit of the latest generation of the SDL.
  • Server Core
  • Network Access Protection.   Policy driven health checks of machines before they are granted full network access.
• SQL Server 2008
• Built upon the incredible security record of SQL Server 2005, which has had zero vulnerabilities in the database code since it launched over 2 years ago.
• Transparent encryption and improved security policy management capability
• Visual Studio 2008
  • Latest generation of security source code scanning tools
  • New T-SQL Static code analysis
  • Linq (nothing to do with security, but it rocks!)

Regards,

Jeff