Jump to content

Are MS Updates for XP really necessary?


Philipitous

Recommended Posts


Duh, ummm, er "Fluff"?

:}:huh::no:

I am sorry Jaclaz but my tiny mind cannot comprehend the meaning of fluff...

Sure, I understand that :), and I do know about your accident that led to the broken google :w00t:, so here are a couple definitions:

http://en.wikipedia.org/wiki/Fluff

Fluff is a noun for anything light, soft, or fuzzy

http://www.thefreedictionary.com/fluff

fluff (flf)

n.

1. Light down or fuzz, as on a young bird or on a dandelion or milkweed seed.

2. Something having a very light, soft, or frothy consistency or appearance: a fluff of meringue; a fluff of cloud.

3. Something of little substance or consequence, especially:

a. Light or superficial entertainment: The movie was just another bit of fluff from Hollywood.

b. Inflated or padded material: The report was mostly fluff, with little new information.

4. The parts of a junked car that are not metal and cannot be recycled.

5. Informal An error, especially in the delivery of lines, as by an actor or announcer.

I have for you a nice :yes: article on .inf file syntax that is luckily at a level that both of us should be able to understand :unsure::

http://www.wd-3.com/archive/InfFiles.htm

jaclaz

Edited by jaclaz
Link to comment
Share on other sites

It's really obvious to anyone who actually breaks into systems that XP is a breeze compared to 8. The security community at large knows this.

You just got through saying you were not gonna appeal to authority and then you come back with this. Well IMHO these comments are now starting to sound like a typical astroturfing exercise. Coincidentally, right now there is now a worldwide Microsoft FUD push to frighten everybody on Windows XP to their idi0tic Microsoft Tiles. Are you connected with Baby Blue ( Microsoft ) ?

No offense, but "security professional" means nothing these days. You might just be answering phones for Symantec, submitting virus reports to Sophos, working on the MSE/Defender team, or any number of things. But from the list after list of alleged improvements to the Windows "security" ( talk about an oxymoron ) you seem to have a huge appreciation for and vested interest in it. My understanding is that Softies are required to identify themselves on public forums. Are you connected to them or not?

I'm sayin this because the router isn't relevant to security anymore. If you're running a browser that's all the attack surface necessary.

I'm sorry, but this right here is crazy talk. You mean that: "... the router isn't relevant to last-stand at-the-desktop software-based CPU-driven security anymore ..."

It's not surprising though since earlier you proved you don't understand what a hardware firewall is. You said packets are not tossed, and then breezed right by the correction. Someone who is thorough, attentive to details and humble will own up to errors. You clearly are not familiar with what ports are needed for HTTP and other things because I think you really meant that since a web browser works all ports must be open ( I don't know how else to read that ). You need to brush up on this part badly. You talked about a compromised Linux website as somehow being in the context of what we are discussing here, and said someone "had control" for 6 days. But I went there and read no such thing. They had passwords and data copied, no hijacking, no driveby attacks, and the passwords were not plain text anyway. This happens every day unfortunately, but it is not an attack per se and no-one took control unless you think defaced websites and such are the same thing.

Look, every version of Windows is "more secure" than the previous as long as something was fixed or patched along the way. But in the real world choosing an operating system to live with daily is more nuanced than that. When trade-offs are factored in many people will look at the Playskool operating system and say "screw that mess!" You are advocating the last-stand CPU driven security model where the local PC itself receives everything I/O and then burns up tons of processing cycles to remove malware from the local disk and try to keep threats out. No security professional would ever consider a software firewall and realtime AV anything but a last resort. It is CPU driven, easily disable-able, and packet filtering is done "at the desktop", which is way too close for comfort. Hardware security pushes the perimeter back "to the gateway" for most I/O. What happens on the relatively few forwarded ports is dealt with in layers, like a different browser than MSIE, script and ad-blocking, user attentiveness, etc. They can even use a realtime AV if they are a masochist.

Now you say that an attacker trying to penetrate a system will "see" Windows XP or Windows 8 computers so they can select their preferred victim. Nonsense! They "see" nothing except what strings the browser and other utilities allow them to see. And "them" in this case is a compromised website for example. But no-one in realtime "sees" anything past the NAT / router / firewall because there is nothing beyond it by design. The computers on the network talk to the router, the router talks to the Internet. The Internet talks to the router, the router talks to the network. This concept is as old as dirt.

It's fine to live in the software based security world, I wish you much luck. Now take some advice: your weakness is either having no understanding or experience in the physical hardware in the physical network. This concept comes before software. You need a clearer understanding of this. Then, it will hopefully become clear that the software based security that you are currently lecturing about, is the last leg, but not the most important leg, of the path. The analogy I would make is that if you were fighting disease you would be spending all your time studying antibiotic and antiviral drugs but completely unaware of the existence of hand wash, protective clothing, gloves, masks, etc. Keeping as much of it out in the first place is the first line of defense. You are only worried about the last stand IMHO.

Link to comment
Share on other sites

I just feel that I'm arguing a lost cause. I have already provided multiple papers, which got little response, and the argument focused instead on other irrelevant things. I think you all have an opinion, and it doesn't seem I'll be changing it. Unfortunately to change it would require a discussion of a level that would require a legitimate understanding of the subject. That isn't meant as an insult, I have no idea who you people are, or what your fields are - I wouldn't expect a historian to argue with me abotu ancient Greece because I simply don't know enough about it, and any complex discussion on it would require all members involved have a background.

Again, I've posted multiple papers. You keep saying I haven't posted any "real" evidence - what about those? It feels a lot like confirmation bias.

You want papers and hard evidence? On features only available or significantly improved in versions after XP?

http://www.stanford.edu/~blp/papers/asrandom.pdf

http://msdn.microsoft.com/en-us/library/8dbf701c(VS.80).aspx

https://www.usenix.org/legacy/events/sec03/tech/full_papers/cowan/cowan_html/index.html

https://www.corelan.be/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/

http://lensfire.in/20398/news/intel-introduces-smep-for-ivy-bridge-a-new-security-feature-80649/

http://technet.microsoft.com/en-us/library/bb456992.aspx and https://en.wikipedia.org/wiki/Shatter_attack

https://blogs.technet.com/b/srd/archive/2009/02/02/preventing-the-exploitation-of-seh-overwrites-with-sehop.aspx?Redirected=true

There you go. But good luck understanding them in a method that will be productive to any conversation unless you have experience with low level languages and exploitation, which is what I've been trying to avoid a conversation on. If you read all of those, and you read the corelan.be and know how you'd write your shellcode to bypass those techniques and you still think that XP is more secure, then we can continue the conversation at that level. Without that, yeah, I'm limited in how I can talk to people on the internet about infosec, because I've got to keep the conversation less technical. That's not aimed as an insult, I'm just trying to discuss it in a way that's clear to you and other readers.

I'm not 'hinting' it, I'm stating it. It's not an insult, it's more an acknowledgment that my argument will be difficult to state because I have to abstract it significantly.

I will try, once more:

1) Exploitation is about cost vs benefit. An attacker has to weigh how much they'll make over how much time it'll take to get in.

2) On XP, because it lacks mitigation techniques that have become commonplace on newer operating systems, the work involved is very little.

3) A compromised computer is generally always able to be monetized. Botnets make criminals hundreds of thousands of dollars, and it doesn't matter if you run XP or 8, the benefit is fairly constant.

4) A patched vulnerability means an attacker needs a new vulnerability. An unpatched vulnerability means the majority of the work is already done for the attacker.

The details of the 'work' involved can be found in those articles above. That's really been the subject of contention - I am trying to illustrate just how much work is involved when you have so many mitigation techniques stacked together the way they are.

If you don't wish to continue the conversation, that's fine. But the information is presented and I would simply resent it being asserted that I haven't posted evidence - it is there for all to see. I can post even more papers

edit; I have just seen charlotte's post. I will edit in a response here.

You just got through saying you were not gonna appeal to authority and then you come back with this. Well IMHO these comments are now starting to sound like a typical astroturfing exercise. Coincidentally, right now there is now a worldwide Microsoft FUD push to frighten everybody on Windows XP to their idi0tic Microsoft Tiles. Are you connected with Baby Blue ( Microsoft ) ?

Very true, I did say I wouldn't argue from authority. I'm simply trying to provide merit, but I never expect anyone to take me at my word, especially on the internet. No, I don't work for Microsoft nor any of their subsidiaries.

No offense, but "security professional" means nothing these days. You might just be answering phones for Symantec, submitting virus reports to Sophos, working on the MSE/Defender team, or any number of things. But from the list after list of alleged improvements to the Windows "security" ( talk about an oxymoron ) you seem to have a huge appreciation for and vested interest in it. My understanding is that Softies are required to identify themselves on public forums. Are you connected to them or not?

No idea who's required to do what. I don't work for MS, nor would I allow a company to tell me I should blather on about their security if I didn't already agree with their opinions on it - my views are my own, and don't reflect any of the companies I've worked for.

Security professional, in my case, means that I have a formal education (computer science and computer security majors) and formal experience in both software development and exploitation. I also have experience defending servers against active attackers, breaking into systems for competitions, etc. I hope that clears that up - no MS here.

It's not surprising though since earlier you proved you don't understand what a hardware firewall is. You said packets are not tossed, and then breezed right by the correction. Someone who is thorough, attentive to details and humble will own up to errors. You clearly are not familiar with what ports are needed for HTTP and other things because I think you really meant that since a web browser works all ports must be open ( I don't know how else to read that ). You need to brush up on this part badly. You talked about a compromised Linux website as somehow being in the context of what we are discussing here, and said someone "had control" for 6 days. But I went there and read no such thing. They had passwords and data copied, no hijacking, no driveby attacks, and the passwords were not plain text anyway. This happens every day unfortunately, but it is not an attack per se and no-one took control unless you think defaced websites and such are the same thing.

I understand Firewalls quite well! I have to, to go to competitions like CCDC and kick a** lol you've misunderstood what I've said, and perhaps I was unclear. I know what portrs are needed for HTTP (80, obviously, and 53 for DNS), and I even posted IPTables rules that are common on most hardware Firewalls. Nope, never said all ports must be open, I said that some ports must be open (80, 443, 53, and even 5552/ others potentially) for any traffic to come in, as your system is taking in content (hence a webpage appearing on the screen).

The attack on UF was explaining that bein g"smart" or having common sense won't help much, as the majority of attacks are through hacked websites (see Sophos 2011 report, and Google Malware Clarity Report) - Ubuntofurms was hacked, and an attacker controlled content for 6 days - the attacker only wanted to get their passwords, so they didn't throw any drivebys on the site (I never said they did, I said they could and that is all).

Look, every version of Windows is "more secure" than the previous as long as something was fixed or patched along the way

Really? Because it seems like earlier some people were saying that patches don't magically add security! So you can understand the confusion about that statement.

But in the real world choosing an operating system to live with daily is more nuanced than that. When trade-offs are factored in many people will look at the Playskool operating system and say "screw that mess!" You are advocating the last-stand CPU driven security model where the local PC itself receives everything I/O and then burns up tons of processing cycles to remove malware from the local disk and try to keep threats out.

Except I've already expressed that what I'm talking about is security, not performance. And I even explicitly stated that I think AV is not significant to Windows 8's security, so I'm not sure why you'd bring it up once more.

No security professional would ever consider a software firewall and realtime AV anything but a last resort. It is CPU driven, easily disable-able, and packet filtering is done "at the desktop", which is way too close for comfort.

Depends on the network configuration. But that's not really important, I don't recommend AVs to people. I only recommend software Firewalls if they don't ahve a router of if they're on a network with multiple systems. Again, not relevant, since I never made claims about AV or Firewalls, I've talked almost exclusively about ASLR / /GS as examples of mitigationt echniques, and I've linked to papers on others.

Hardware security pushes the perimeter back "to the gateway" for most I/O. What happens on the relatively few forwarded ports is dealt with in layers, like a different browser than MSIE, script and ad-blocking, user attentiveness, etc. They can even use a realtime AV if they are a masochist.

It pushes security back for a subset of attacks that haven't been used in years on desktop users.

Now you say that an attacker trying to penetrate a system will "see" Windows XP or Windows 8 computers so they can select their preferred victim. Nonsense! They "see" nothing except what strings the browser and other utilities allow them to see. And "them" in this case is a compromised website for example. But no-one in realtime "sees" anything past the NAT / router / firewall because there is nothing beyond it by design. The computers on the network talk to the router, the router talks to the Internet. The Internet talks to the router, the router talks to the network. This concept is as old as dirt.

Where do I say this? What I said is that attackers who go after Windows 8 will have to spend more time on their exploits. As I said above, I am very well aware of how NAT and Firewalls work, I've set them up while actively under attack by teams of hackers, where the slightest flaw in my IPTables rules means we lose.

It's fine to live in the software based security world, I wish you much luck. Now take some advice: your weakness is either having no understanding or experience in the physical hardware in the physical network. This concept comes before software. You need a clearer understanding of this. Then, it will hopefully become clear that the software based security that you are currently lecturing about, is the last leg, but not the most important leg, of the path. The analogy I would make is that if you were fighting disease you would be spending all your time studying antibiotic and antiviral drugs but completely unaware of the existence of hand wash, protective clothing, gloves, masks, etc. Keeping as much of it out in the first place is the first line of defense. You are only worried about the last stand IMHO.

I hope you understand that the "hardware firewall" you're talking about is in fact just software. It's iptables running on the Linux kernel, or potentially a more custom OS/ Firewall like Cisco's stuff.

I have considerable experience and understanding of network security. Attackers haven't cared about routers for years. In server environments, that's different, and that's why I've had to spend time on network rules so much.

Look at active attacks in the wild... do you see many of them stopped by a NAT? Maybe outbound restrictions will block the stupid ones (those are SO easy to get around, especially on Windows with createremotethread()) but it's not exactly a huge barrier.

Edited by enxz
Link to comment
Share on other sites

That isn't meant as an insult, I have no idea who you people are, or what your fields are - I wouldn't expect a historian to argue with me abotu ancient Greece because I simply don't know enough about it, and any complex discussion on it would require all members involved have a background.

Well, it did sound (and it still sounds) like an insult, but much worse than that, it is an unjustified assumption.

You have NO idea who we are BUT you assume that we won' t be able to understand your arguments, and thus drop on us, from the top of your superior knowledge, the "verb".

It may be different in the US, but at least here in Italy/Europe that kind of stance is considered seriously impolite.

On the other hand you are not even consequential.

If you believe we won't be able to follow your arguments because of our little brains and experience, we are simply not worth your time, it is a lost cause.

You could shift your postings and arguments to an environment where - presumably - onlookers and members will be able to understand what you say - just as examples, more "focused on security" forums, like:

http://forums.windowsecurity.com/

http://forum.pcsecurityworld.com/

http://www.topix.com/forum/tech/computer-security

I personally appreciated very much :) your attempt to lower yourself at our "average Joe" level, making us aware of the risks :ph34r: of running XP because it is insecure, as said your opinion on the matter has been set on records, but we cannot go further than that.

BTW, and strangely ON topic :w00t:, interesting conclusions in the Stanford Uni paper you just posted a link to (about ASLR):

http://www.stanford.edu/~blp/papers/asrandom.pdf

....

The resulting exploit is as effective as the original, but slower; the slowdown is not sufficient to frustrate worms or targeted attacks.

Our results suggest that, for current 32-bit architectures,

(1) address-space randomization is ineffective against the possibility of generic exploit code for a single flaw; and

(2) brute force attacks can be efficient, and hence effective.

In addition, we have analyzed the effectiveness of more powerful randomization techniques such as increasing the frequency and granularity of randomization. Subsequent re-randomizations (regardless of frequency) after the initial address-space randomization increases resistance to brute

force attack by at most a factor of 2. We also argue that one cannot effectively prevent our attack without introducing a serious denial-of-service vulnerability.

but of course those tests were made on Linux systems, which are notoriously insecure, having been largely written, designed and mantained by someone who is not a security expert and against a software - Apache - which is not AFAIK the typical app that would be run on XP systems at home.... :whistle:

jaclaz

Link to comment
Share on other sites

Actually I consider Linux to be more secure than Windows - at least potentially. It varies by distro. It is in spite of Linus, not because of him. Linux is actually the operating system I secure best, and while I have experience with many operating systems, it's the one I'm assigned to deal with most often.

The service, Apache in this case, doesn't matter. ASLR is used in your browser and most other exposed programs... though not on XP (it's used nowhere on XP!) You can read more about the effectiveness of ASLR and its weaknesses, and how Windows has addressed them (especially in 8, like low memory circumstances and against bruteforcing). That's what the papers are for, after all.

Edited by enxz
Link to comment
Share on other sites

That's what the papers are for, after all.

Not really. :no:

Related papers are what you may need to provide, together with your clear explanation on how the relevant parts of them apply to the topic at hand.

It is kinda difficult for us hairy reasoners to understand how a paper stating how ASLR implementation on a Linux HTTP Server is to be considered ineffective as a form of increased security leads to attribute to the lack of it on a XP a decrease in it's security :unsure:.

Carpenter's example:

Formal statement by the Carpenters' Guild Official Spokesperson (press release):

Two planks joined together by five or more nails are more secure than planks joined with two screws.

To support the above statement, a research paper titled "Ineffectiveness of glue in assembling tin metal sheets" is attached to this press release.

:w00t:

jaclaz

P.S.: I really-really shouldn't do this :w00t:, but this Blackhat presentation paper:

http://media.blackhat.com/bh-us-12/Briefings/M_Miller/BH_US_12_Miller_Exploit_Mitigation_Slides.pdf

represents something that most members will be able to understand and supports your opinion :ph34r:, though the source is not as "independent" as it might be required by many MSFN members :whistle:.

The paper is simple, clear, has nice graphics (that even those that cannot read will surely appreciate) and contains most of the points you previously addressed (in what I consider vague and smart-alecky manners).

Edited by jaclaz
Link to comment
Share on other sites

Related papers are what you may need to provide, together with your clear explanation on how the relevant parts of them apply to the topic at hand.

They are definitely related. They don't really merit much explanation, if you read and understand them it's really clear. For example, ASLR has improved from Vista to 8 by significantly increasing entropy on 32bit programs - reading the paper I linked explains how critical that is.

It is kinda difficult for us hairy reasoners to understand how a paper stating how ASLR implementation on a Linux HTTP Server is to be considered ineffective as a form of increased security leads to attribute to the lack of it on a XP a decrease in it's security :unsure:.

Understanding the weaknesses of ASLR, like low entropy, no bruteforce detection, and the like is important to understanding how it makes attacks more difficult. I linked to quite a few papers on the subjects, they are all definitely relevant.

The paper is simple, clear, has nice graphics (that even those that cannot read will surely appreciate) and contains most of the points you previously addressed (in what I consider vague and smart-alecky manners).

http://media.blackhat.com/bh-us-12/Briefings/M_Miller/BH_US_12_Miller_Exploit_Mitigation_Slides.pdf

I linked to the above back on page 2, but it got little response. Described in it is improvements to ASLR entropy - something the paper on effectiveness discusses in greater detail. Unfortunately not ever paper is going to be broken down like that, not all research comes with a pretty picture.

1) Exploitation is about cost vs benefit. An attacker has to weigh how much they'll make over how much time it'll take to get in.

2) On XP, because it lacks mitigation techniques that have become commonplace on newer operating systems, the work involved is very little.

3) A compromised computer is generally always able to be monetized. Botnets make criminals hundreds of thousands of dollars, and it doesn't matter if you run XP or 8, the benefit is fairly constant.

4) A patched vulnerability means an attacker needs a new vulnerability. An unpatched vulnerability means the majority of the work is already done for the attacker.

Which of these is it that people take issue with?

Edited by enxz
Link to comment
Share on other sites

While Charlotte and some others are defending the more radical position, which is running fully unpatched (SP3 out of the box, I presume, but maybe not even that) and without any antivirus (at least real-time), that never was my case. From the start I'm just defending patching to the brim with what MS offers (intelligently and within reason), and using a real-time antivirus, but continuing to run after MS stops providing patches (but adding any unofficial ported patches that may be offered by reliable 3rd parties, if and when available). Just that. Moreover I do favor only keeping the machine up when using it and being behind one (or more) provider(s) of dynamic IPs, and renewing them daily. All this adds to security, as does using a non-sse2 capable machine, for the time being (remember those viruses which relied on "POP CS"? It's the same idea, but reversed). All I'm saying is that end-of-support at 2014 is not a definitive showstopper, even if it does make life more difficult in some aspects.

Link to comment
Share on other sites

Here IMHO it is not about "radical" positions (which are legitimate, just as opinions are) it is about opinions expressed as apodictical statements or - if you prefer - represented as the one and only truth (and about the assumption that someone that doesn't agree with you necessarily must be less educated, less knowledgeable and /or downright dumber than you are)

The nice .pdf paper that I "revived" in order to help enzx bring forward the discussion is made along a three points template:

  • here is what has been available till now
  • here is what we have added to increase mitigation
  • here is why the steps we took should be effective.
As said it is clear, simple (besides the nice graphics) but is saying nowhere that the result is working/effective and particularly it does not say how much that is effective (it does say how good are the good MS guys and to which extent and how hard they tried to add these mitigation factors, but little more than that).

It simply cannot do that since it was published BEFORE Windows 8 was even released.

A quantification is made in the (cited) statement by Chris Hallum, which - obvioulsy - is "commercial" fluff.

If we are going to say that some "mitigation factors" were added:

  • to Windows Vista :ph34r: when compared to Windows XP
  • to Windows 7 when compared to Windows Vista :ph34r:
  • to Windows 8 when compared to Windows 7
we do not need to discuss the matter, as it is obvious.

If we are going to say that an OS is more secure than another (or that one is less secure than another) we need some proof that besides and beyond theory, it is actually so.

I will risk an electrical comparison, by means of three nice pictures (shamelessly taken from http://www.aspeterpan.com/survival/elett106.htm ):

elettrico004c.gif

elettrico004b.gif

elettrico004a.gif

The circuit in last image is safer (in theory) because each plug is protected by a dedicated thermal magnetic breaker (of suitable class) AND the line is protected "as a whole" by the 25 A breaker.

BUT some will argue that the circuit in the first image (with only one 16 A breaker) is (besides much cheaper) actually safer because if *anything* below the breaker "hits" 16 A, mains will be cut off, whilst in the last one if *anything* below the main breaker but above the various plug breakers hits 16 A mains will be not cut off (until it hits 25A of course).

The debate is still open since what? 20 years? On the opportunity of making "few lines" with protection at the end of them or "many lines" with protection at the start of them.

jaclaz

Link to comment
Share on other sites

(and about the assumption that someone that doesn't agree with you necessarily must be less educated, less knowledgeable and /or downright dumber than you are)

Only less educated in a specific field. I don't rate a human being on their ability to perform risk assessment, I don't think someone is stupid for not understanding security, and everyone has their fields of expertise. I'm sure many members here are much more informed in some areas than I am. I don't really think it's offensive to make the leap from "the majority of people in the field think X so the minority people who disagree with X are likely not informed". Naturally that doesn't hold true often, but security isn't guesswork, there's quite a bit of education and research behind those opinions.

I wouldn't call my statements apodictic but synthetic. I can break down facts and assumptions.

Fact 1: Exploiting software takes work.

Fact 2: Windows XP lacks many mitigation techniques available to Windows Vista, 7, and 8.

I hold the above to be self evident. It's simply a fact that proper ASLR dosen't exist on Windows, as well as other mitigation techniques. IT is simply a fact that exploiting software takes work.

Assumption 1: The more work an exploit takes the less likely software is to be exploited, given the same rewards. Attackers tend to take the path of least resistance.

Support for Assumption 1: This is logical. If you want to get from A to B you take the shortest route. Attackers are largely motivated by money, and the more time they spend on a single attack more work it is to get the same amount of money.

Assumption 2: Mitigation techniques raise the costs of attack.

Support for Assumption 2: Using ASLR as an example. Attackers who exploit flaws in code will often rely on the address of some area of a virtual address space. This is in order to bypass Data Execution Prevention using a technique called Return Oriented Programming (ROP). ROP works by using a programs own code to execute attackers commands, an attacker returns into code at a specific address and executes it. Without the address an attacker has to spend more time, and more work, in order to find usable code for their attack. The workarounds can often make attacks less reliable (meaning an attacker only manages to infect a percentage of vulnerable users, while simply DOSing others) and therefor less profitable.

Assumption 3: Attackers want to make money

Support for Assumption 3: The vast majority of attacks are generally aimed at monetizing systems somehow. If you're any good you can easily pull in half a million per year. Most malware we see in the wild is about trying to make money in some way, and there is a significant market behind these attacks, with exploits being sold for tens of thousands of dollars, sometimes hundreds.

Conclusion - synthesis: Mitigation techniques hurt attackers bottom lines.

If attackers want to make money, and they make more money when they can increase the attacks per time spent on exploit, and mitigation techniques increase the time spent on exploits, then mitigation techniques hurt attackers profits. Attackers want to make money, so they will go for systems that they can monetize quickly and easily.

Now, we have to define what security is. This is the tricky part, because people often don't agree on this.

Many people define security by the current threat landscape: am I safe against the malware that is out there today?

Other people define security by the perceived future landscape: am I safe against the malware that we'll be seeing tomorrow?

Others define it by the chance of attack: am I likely to be attacked? is my OS uncommon enough to keep me safe?

I personally define security by the level of effort required to get into a machine. Historically, this has made the most sense, as the threat landscape of the future tends to follow research - ROP was shown in research before it was used in the wild (and it is incredibly common now).

So, if we define security by the level of effort required, we have to somehow measure that effort. This is somewhat difficult, but if we take assumption 2 to be true (https://blogs.technet.com/b/srd/archive/2010/12/08/on-the-effectiveness-of-dep-and-aslr.aspx?Redirected=true and other evidence that ASLR is effective) than we can at least state that the effort to exploit a system with ASLR is greater in some cases (where an attacker relies on knowing an address, which is very common) "more" difficult. How much more difficult? That's hard to say, because it is not possible to give an exploit agnostic answer. But there is going to be effort involved, whether it's large or small.

Now, evidence that it's large is there. Attackers have moved their attacks to software that doesn't use ASLR, and their attacks that are on software that uses ASLR tend to be much more complex, sometimes requiring browser plugins and the like to work. But evidence that it isn't large is there as well, at least on earlier iterations of ASLR on Windows, like 7 and below, where information leaks were not patched properly (on 8 they are gone as the PDF earlier shows).

So that's how synthesis works. Unfortunately, certain assumptions (like defining security) are weak, and are the sources of the greatest contention. Thankfully, for the sake of this argument, all of those definitions of security support the synthesis as both current and future attacks are likely to use ROP, and therefor rely on hardcoded addresses, and XP still holds a significant user base.

I can further extend the synthesis to include patches, but it should be clear that, if developing an exploit takes work, and if someone else has already done the work, it takes less work to attack that system.

Edited by enxz
Link to comment
Share on other sites

  • 2 weeks later...

Generally speaking, there's no reason not to install them unless the update specifically causes problems in your system (for various reasons like the update being buggy itself or other programs having issues after installing it, etc.), especially if we're talking about a home computer.

Well, I have redundant copies of my own font collection and as i don't use all of them, more aren't needed.

...searching within this topic before i make my main post...

Link to comment
Share on other sites

OK, latest post aside from mine was August 5.

So have you guys seen this article or don't you care either way?

http://www.zdnet.com/microsoft-warns-windows-xp-users-risk-zero-day-forever-7000019503/

http://www.sevenforums.com/news/301421-microsoft-warns-windows-xp-users-risk-zero-day-forever.html

Or so much fear fear mongering?

I imagine XP users will do what 2000 & 9x

users have been doing all along, we as the community, just have to point them in the right direction,eh?

Link to comment
Share on other sites

OK, latest post aside from mine was August 5.

So have you guys seen this article or don't you care either way?

http://www.zdnet.com/microsoft-warns-windows-xp-users-risk-zero-day-forever-7000019503/

http://www.sevenforums.com/news/301421-microsoft-warns-windows-xp-users-risk-zero-day-forever.html

Or so much fear fear mongering?

I imagine XP users will do what 2000 & 9x

users have been doing all along, we as the community, just have to point them in the right direction,eh?

IMHO largely FUD.

The generic idea of a 0-day is that it will work because it is new AND the existing provisions would not catch the exploit or prevent it.

A large number if not all of (already issued) MS patches are not against a given exploit, they are against a generic theoretical vulnerability (that a possible, but "fictional" - still not existing - exploit may tale advantage of).

The amount of criticity of a patch is given arbitrarily based on the possible effects of the exploit IF and WHEN this exploit WILL exist AND IF it actually reaches the actual OS.

If you prefer the patches (besides being "good practice" ) are a way to tell the bad guys "before you even think of using this, I have already patched it", a not so trifling part of them are "psychological" welfare.

The other aspect of the "psychological" content of having "patch tuesday" is that the user perceives how much MS cares about his/her security.

Another kind of prevention tool the typical Antivirus, updates its "definitions" once (or more) a day.

But MS does the patches once a month (or maybe twice) + from time to time what they consider "really" critical updates.

http://en.wikipedia.org/wiki/Patch_Tuesday

Over the last few years, you had usually on *any* MS OS (supported or not) 29 0-days a month.

We have no actual data about the number of "real" exploits (0-days) that have been actually prevented through this "security approach", as well we have no idea on how much this has contributed to "Exploit Wednesday".

The mentioned thread and article are nothing but a re-post of the blog post by TIm Rains:

http://blogs.technet.com/b/security/archive/2013/08/15/the-risk-of-running-windows-xp-after-support-ends.aspx

what do you expect that someone who works at MS as Director of Product Management in Microsoft’s Trustworthy Computing group would say?

Tim Rains is the Director of Product Management in Microsoft’s Trustworthy Computing group. Tim and his team of product managers support the Microsoft Security Response Center (MSRC), the Microsoft Malware Protection Center (MMPC), and the Microsoft Security Engineering Center (MSEC) which includes the Security Development Lifecycle (SDL) and Security Science.

Incidentally, the data/graphic he uses to bring forward the idea that there are not good or not good enough "mitigation techniques" in Windows XP when compared to Vista :ph34r:, 7 or later:

57625.Untitled.png

and which already at first sight seem to have *something* wrong about them (I won't buy today, nor "ever" that 8 has a fraction of the issues of 7), shows that Windows Server 2003 has a *whatever* rate comparable to the Vista :ph34r: and actually better than 7, less than half of the XP.

Since there is no particular "added mitigation factor" AFAIK/AFAICR in Server 2003 when compared to XP, it should mean that a "same" OS managed by someone in a "more responsible" way has less vulnerabilities (which is in a nushell the thesis by Charlotte)

jaclaz

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...