Consistently vulnerable systems

November 16, 2010

It seems to be that there are fewer and fewer months in which we do not hear about a new 0-day vulnerability that is being actively exploited in order to compromise systems. We've analyzed a list of security advisories over the past 12 months to see whether we are living in an environment in which a user who maintains a fully-patched system is still vulnerable.


A few clarifications of our selection criteria: We limited ourselves to security advisories for 0-day vulnerabilities, limited to Windows, Internet Explorer, Adobe Reader, and Adobe Flash, in which the vendor of the software provided a security advisory informing the public of active exploitation of a vulnerability. For example Although Adobe released an out-of-band patch for Adobe Reader (CVE-2010-2862) in August, this vulnerability is excluded given that there was no confirmation from Adobe that the vulnerability was being exploited.1,2

The vulnerability had to result in remote code execution. Cases involving information disclosure or denial of service were ignored.

We considered that the average user has enabled the Windows firewall or is behind a device doing NAT, and so the vulnerability had to be exploitable over the internet by a user browsing a web site or opening an e-mail file attachment. For example MS10-061 (vulnerability in Print Spooler Service could allow remote code execution) originally used by Stuxnet was ignored.

Vulnerabilities that required fooling the user into performing an action (for example, the MS10-022 vulnerability in the VBScript Scripting Engine in which a victim browses a malicious webpage and is tricked into pressing F1 on a VBScript dialog box) were ignored.

We considered the vulnerability patched once a patch was provided through the normal vendor update channels. We did not consider a vulnerability patched if disabling a specific feature would mitigate the vulnerability, or if a 3rd party patch not approved by the vendor was available. We concluded that the average desktop user will not be taking these actions, and is probably not even aware of the existence of the specific 0-day vulnerability.

If a security advisory was published on Jan/1/2010, and the patch made available on Jan/2/2010, we considered the application to be vulnerable for 2 days (January 1st and January 2nd).

We considered the average user to be running Internet Explorer on a Windows XP system with Adobe Reader and Flash installed in their default configuration, with a firewall enabled and antivirus installed.

The 0-days that match our criteria

Below is the list of 0-days within the last 12 months from the date that this article was originally published:

Period: Nov/03/2010 - TBD
Vulnerability: Internet Explorer (CVE-2010-3962)
Days vulnerable: 14+ (unpatched at the time this article was published)

Period: Oct/28/2010 - Nov/16/2010
Vulnerability: Adobe Reader, Flash, Acrobat (CVE-2010-3654)
Days vulnerable: 20

Period: Sep/08/2010 - Oct/05/2010
Vulnerability: Adobe Reader and Acrobat (CVE-2010-2883)
Days vulnerable: 28

Period: Jul/16/2010 - Aug/02/2010
Vulnerability: Windows Shell .LNK (CVE-2010-2568)
Days vulnerable: 18

Period: Jun/04/2010 - Jun/29/2010
Vulnerability: Adobe Flash Player, Adobe Reader and Acrobat (CVE-2010-1297)
Days vulnerable: 26

Period: Mar/09/2010 - Mar/30/2010
Vulnerability: Internet Explorer (CVE-2010-0806)
Days vulnerable: 22

Period: Jan/14/2010 - Jan/21/2010
Vulnerability: Internet Explorer (CVE-2010-0249)
Days vulnerable: 8

Period: Dec/15/2009 - Jan/12/2010
Vulnerability: Adobe Reader and Acrobat (CVE-2009-4324)
Days vulnerable: 29

Period: Nov/23/2009 - Dec/08/2009
Vulnerability: Internet Explorer (CVE-2009-3672)
Days vulnerable: 15

Results and caveats

Based on the figures above the average Windows desktop user would have been vulnerable to actively exploited 0-day vulnerabilities for at least 166 days, with any overlapping of vulnerability exposure being factored in. In other words for the past 12 months 45% of the time that the average Windows desktop user is browsing the internet on a fully patched Windows system running antivirus and with a firewall enabled, they are doing so in an environment in which their computers could suddenly become compromised without their knowledge by an exploited vulnerability in which no official vendor-provided security update exists. We believe this to be a conservative figure as it does not factor in:

(1) There is an unknown duration from the time that a vulnerability starts being exploited to the time that this activity is observed sufficiently for a vendor or security organization to conclude that "this vulnerability is being exploited in the wild".

(2) There is a delay from the point that a vendor is aware of active exploitation of a vulnerability in their products to the point that a security advisory informing the public is drafted, approved, and published on their web site.

(3) Not all systems have the updates applied on the same day that they are released, or are immediately rebooted in the cases that a system restart is required for the patches to be take effect.

(4) Most computers have much more software installed than the ones that we have limited ourselves to (ex: MS Office, Java, QuickTime, iTunes, RealPlayer, Shockwave, etc.)

(5) We know that the software that we depend on have plenty of vulnerabilities in their code that we (the public at large) are not yet aware of that could become exploited at any given time. For example, although it is not your average-grade malware, Stuxnet which targeted five different vulnerabilities - four of which were unknown - is an excellent example of this.

(6) There are sometimes discrepancies in the reports between security researchers and companies versus software vendors over whether or not a vulnerability is being actively exploited. Admission by the vendor of active exploitation is the strongest indicator that the vulnerability is being exploited, and is the criteria that we limited ourselves to. In some cases a vendor will release an emergency patch for their product but will declare that they are not currently aware of any active exploitation at this time.

(7) Our selection criteria limited our threat scope to only vulnerabilities that can be exploited while browsing the internet or opening a file attachment, whereas a system could be compromised through other channels. For example, even if they are employing a firewall, people who connect their laptops to untrusted networks could be exploited through a vulnerability within their DNS client (MS06-041), DHCP client (MS06-036), NTP client, or through a software update service. Other examples include applications that are vulnerable to DLL preloading attacks (ex: Microsoft advisory 2269637 published on August 23, in which MS10-087 released on November 9 "addresses a particular instance of this type of vulnerability" for MS Office).


So what can be done to protect users against 0-day threats? Obviously applying the latest updates is not going to help. The effectiveness of most antivirus software at protecting against exploits is generally poor, and using a stateful firewall won't make a difference because in most cases the exploit payload uses permitted ports such as HTTP, HTTPS, and DNS.

There is a SANS ISC diary entry that lists various mitigations that people can use, some of which are mainly applicable within a corporate network or require a reasonable amount of technical expertise to deploy effectively. The ones that we recommend below are relatively simple for anyone to use, and are free:

* Install and use Microsoft EMET. Perhaps one of the best things you can do to protect your Windows systems, this is a light-weight and easy-to use software provided by Microsoft that provides excellent protection against a frequently exploited class of software vulnerabilities. Visit our article on EMET to see the instructions for installing and configuring this free software.

* Uninstall any unnecessary software that came bundled with your computer, or that you installed in the past and no longer use, especially any software that launches automatically simply by browsing a web site.

* Given the threat of "malvertising" in which content from malicious advertisements delivering exploits are automatically pushed onto your computer while browsing a legitimate web site, consider using Firefox with Adblock Plus to block this attack vector. You may also wish to consider using the Firefox NoScript and Flashblock plugins, although these require more fine-tuning.

* Get in the habit of examining your software's configuration and modifying the settings of features that you do not need. For example the US-CERT frequently recommends configuring Adobe Reader to disable JavaScript, to prevent your web browser from automatically opening PDF files, and to disable the displaying of PDF files within your web browser.

* Although it can be argued to be security through obscurity, consider using less frequently targeted, less vulnerable, or more restrictive versions of software, such as an alternative PDF reader.

* Configure your antivirus to run scheduled virus scans of your entire hard drive, as this may help reveal that your computer was the target of an infection attempt, such as discovering exploit code within your Temporary Internet Files folder that were undetected by antivirus at the time of download but are detectable now.

* Use a regular unprivileged account for your day-to-day work (i.e. never use an account with administrator privileges to browse the internet). Use a separate administrator account for any task that requires administrator privileges, such as installing new software.

Individuals with the means can also protect their systems or limit the damage caused by a successful exploitation by deploying HIPS software, proxy servers, virtualized systems and sandboxed environments, by passing their traffic through a firewall capable of enforcing protocol compliance (i.e. making sure that traffic passing over 80/TCP is in fact HTTP) and application layer filtering, and by configuring their systems to only allow execution of files from specific folders. People can also choose to use dedicated equipment for specific tasks. For example in late 2009 the FBI and the American Banking Association issued an alert advising small businesses to use a dedicated single computer for online banking activity that is never used for reading e-mail or surfing anywhere else on the web.3

Finally users can choose to alter their behavior, such as refusing to open PDF file attachments or links that you receive in unsolicited e-mails, or choosing to disable a specific plugin or add-on for your web browser (such as Java) and only enabling it when required.

1. "Prenotification: Out-of-band Security Updates for Adobe Reader and Acrobat", Adobe, August 5, 2010

2. "Security Bulletins: APSB10-17 - Security updates available for Adobe Reader and Acrobat", Adobe, August 19, 2010

3. "Feds Warn Small Businesses to Use Dedicated PC for Online Banking", Wired, December 31, 2009