- Training
- Training Live Events
- Training Without Travel
- SANS Courses
- Certified Instructors
- Career Roadmap
- Training Calendars
- SANS @Home
- SANS OnDemand
- Community SANS
- SANS Mentor Program
- SANS Onsite
- SANS SelfStudy
- SANS Summit Series
- SANS Partnership Series
- Webcasts
- Work Study
- Events Archive
- DoD 8570
- Voucher Credit Program
- group discounts
- Certification
- Resources
- List of Resources
- Top 20 List
- Top 25 Programming Errors
- Top 10 Security Trends
- Top 5 Essential Log Reports
- Reading Room
- Webcasts
- WhatWorks
- Newsletters
- RSS Feeds
- Calendar Feeds
- Projects
- Security Policy Project
- Security+ Study Guide
- S.C.O.R.E.
- Awards & Recognitions
- SANS Buyers Guide
- Security Tool Demos
- Vendor
- Portal
- Storm Center
- College
- Developer
- About
the most trusted source for computer security training, certification and research
Exploitable Software
Exploitable Software
September 18th, 2008
By James Voorhees
The people assaulting your network have a hundred or more ways that they can use to get in. Many of those come from flaws in the software used, flaws that allow unscrupulous souls myriad ways to get the information they seek. They are limited only by their imagination and your defenses.
Much of the software we use was originally developed before security became a common concern. It was more important to ship it out than to make it safe. Much of that old code hasn’t been fixed. More of it hasn’t been retired. A lot of the problems in it haven’t been found.
A couple of years ago, Russian hackers found a flaw in an old piece of code, a function, in a common graphics format, the Windows Metafile Format (WMF), and used it to infect millions of computers with a wide variety of malicious code.[1] The function they used had been superseded by another. The format itself was outdated. Yet the discovery and exploitation of the vulnerability came as a shock. A patch was issued only after 10 days of frenetic activity. Infections can still be seen.
We don’t know how many similar flaws remain to be found in code that has been around for decades. Moreover, code now being written continues to have exploitable flaws. In part that is in the nature of code, which tends to be complex—even a simple program can contain hundreds of lines, with the chance for error multiplying exponentially as the number of lines increases. This is one reason why newly popular types of applications, such as those built from PHP, or services, such as VOIP, can seem more vulnerable than than those that are older. The older ones have been more thoroughly tested. But this problem also stems from approaches to writing code that became commonplace before the need to make code secure was widely recognized. And, as the WMF problem showed. There is no guarantee that problems with older software have even been found, much less solved.
You can get an idea of the variety of vulnerabilities that an attacker can use by looking at the SANS Top 20[2] or at NIST's National Vulnerability Database (NVD).[3] The latter gives almost 1,500 matches if you search for software flaws over the last three months. The Common Weakness Evaluation, a part of the NVN, lists such vulnerabilities as the use of insecure cryptographic algorithms, a failure to enforce access restrictions, and errors in handling numbers. As a mere glance at the SANS Top 20 shows, these can be found in any operating system, any browser, indeed, in any kind of application.
This is not to say that there is no defense. You can learn how to defend your network. It does, however, mean that the battle will not end soon and that vigilance must be constant.
===
All links valid as of June 12, 2008
1. http://www.sans.org/reading_room/whitepapers/honors/1666.php
2. http://www.sans.org/top20
3. http://nvd.nist.gov.
Check Them Out!
This is hands-down, the premiere training opportunity.
- Dan Mather, JICPAC
