Thursday, April 14, 2005
Tuesday's MS patches, and the life cycle of a security bug
One of the security bugs Microsoft fixed in Windows Update on April 12 now has an example program showing how to take advantage of it. You're not instantly at risk, but probably will be soon.
I should explain what that means, so you can make more sense of the endless stream of jargon coming at you in the news these days.
Someone discovers the bug, first of all. There are people who spend their time looking for security holes. They need a rare set of skills and turn of mind to do that kind of work. Sometimes they want to build a reputation that they can cash in on with consulting contracts, and sometimes they're just turned on by the challenge, like any kind of puzzle enthusiast.
Security people call the bug a "vulnerability" at this point. They start wondering "Can this really be used to take over or to crash a machine?", "How can I tell whether I'm affected?", and "Once I install a 'fix', how can I be sure it really fixes the problem?". This is where the discoverer, or somebody else, writes a "proof of concept" program that is harmless but proves that attackers could use the vulnerability. Usually the writer publishes the program so as to answer all the questions above. Sometimes they'll only send it to the vendor of the vulnerable software or equipment.
So far there are good, ethical reasons for everything that everyone's done. People argue passionately about the ethics of finding and disclosing security problems but nothing I've mentioned yet is definitely "black hat" activity.
Microsoft's software is at this point today -- there's a publicly available "proof of concept" for one of their bugs.
The next step is that someone, somewhere, "weaponizes" the proof of concept by changing it to do something destructive and maybe making it easier to run. This is where the risk to you skyrockets. After the weaponized "exploit code" hits the streets, unskilled attackers can run automated attacks against millions of computers including yours. As soon as an attack starts spreading, the antivirus and antispyware companies call it "in the wild". The weaponizing step can take less than a day.
In other words, run Windows Update if you haven't already.
|
I should explain what that means, so you can make more sense of the endless stream of jargon coming at you in the news these days.
Someone discovers the bug, first of all. There are people who spend their time looking for security holes. They need a rare set of skills and turn of mind to do that kind of work. Sometimes they want to build a reputation that they can cash in on with consulting contracts, and sometimes they're just turned on by the challenge, like any kind of puzzle enthusiast.
Security people call the bug a "vulnerability" at this point. They start wondering "Can this really be used to take over or to crash a machine?", "How can I tell whether I'm affected?", and "Once I install a 'fix', how can I be sure it really fixes the problem?". This is where the discoverer, or somebody else, writes a "proof of concept" program that is harmless but proves that attackers could use the vulnerability. Usually the writer publishes the program so as to answer all the questions above. Sometimes they'll only send it to the vendor of the vulnerable software or equipment.
So far there are good, ethical reasons for everything that everyone's done. People argue passionately about the ethics of finding and disclosing security problems but nothing I've mentioned yet is definitely "black hat" activity.
Microsoft's software is at this point today -- there's a publicly available "proof of concept" for one of their bugs.
The next step is that someone, somewhere, "weaponizes" the proof of concept by changing it to do something destructive and maybe making it easier to run. This is where the risk to you skyrockets. After the weaponized "exploit code" hits the streets, unskilled attackers can run automated attacks against millions of computers including yours. As soon as an attack starts spreading, the antivirus and antispyware companies call it "in the wild". The weaponizing step can take less than a day.
In other words, run Windows Update if you haven't already.
# posted by Frederick @ 3:20 PM Email to a friend:
Haloscan: they provide trackback