16min chapter

Paul's Security Weekly (Audio) cover image

MS Patch Tuesday: Which Vulnerabilities Really Need Prioritizing. - Douglas McKee - PSW #836

Paul's Security Weekly (Audio)

CHAPTER

Navigating Cybersecurity Vulnerabilities

This chapter explores the significance of software vulnerability analysis, particularly in relation to Microsoft and the role of SISA in identifying exploited vulnerabilities. It emphasizes the limitations of traditional metrics like CVSS in prioritizing patching, especially for elevation of privilege vulnerabilities. The discussion also highlights the evolutionary challenges in vulnerability management and the need for transparency within the cybersecurity community.

00:00
Speaker 1
I don't know if I
Speaker 3
read something similar I don't know if it's true, but I read something similar. Even if it's roughly true,
Speaker 1
that's a lot of data to back up what we're talking about, right? Absolutely.
Speaker 3
That's a massive amount of data that they have. Way more than we have it, way more than the SonicWalls is going to have. Not because SonicWalls is bad, but just because we're a much smaller vendor. Right. So did Microsoft publish
Speaker 1
this data? And that was incorporated in your report? Okay. Yeah.
Speaker 3
The data that we used is all data that's published on Microsoft's website. We just aggregated it in one place and did some analysis on it. Okay. As far as that
Speaker 1
goes. And so how did you get, so did you attract like which ones were being exploited in the wild? We
Speaker 3
used, so we use SISA for that. So SISA will pick up a CBE if it's exploited in the wild. And then we link that back. So we pulled the Microsoft data and then we pulled the Kev data and we cross reference them to go like, this is for sure if SISA is reporting as exploited, they do, they go through great lengths to make sure that that's accurate information. I've always said that. Doug, last week
Speaker 1
I sat down with Todd. I don't know if you know, Todd Beardsley, but he is like the lead person now on the Sisakhev. And, and you'll see that come out in the below the surface podcast, like next week or the following. So I do other interviews already recorded. I have like this, like now, newfound knowledge about the Sysakev because I sat down with that. But yes, so he had, so to get on the cab, not to spoiler alert, right? It has to have a CVE moniker and it has to be exploited in the wild and there has to be a patch available is the general. And I can tell you, and
Speaker 3
I can tell you from my personal experience too, like we've had vulnerabilities, you know, discovered that the Sonic wall has talked about being exploited in the wild and things like that. And they come and verify, they're like, hey, show us the telemetry data that shows this is actually exploited and not like a researcher scanning. Like, so I mean, they go through the motions there. They don't just put that information out there, which I think adds credibility to it. Absolutely.
Speaker 4
Was there anything in your research that you found surprising, like any vulnerability that, you know, just like, wow, that's interesting that, you know, that rises to the top or anything, even like a category of vulnerability or exploit? Yeah,
Speaker 3
I mean, you led right into exactly where I'm going with this. That's fantastic, Bill. But I think the big wow factor for us was 52 in 2023, 52 percent of exploited vulnerabilities were elevation of privilege vulnerabilities when it comes to Microsoft specifically, right? That's not obviously we're not looking all vulnerabilities in the world. We're talking about Microsoft vulnerabilities. So and and only five percent were remote code execution. So to me, that was a pretty staggering statistic, especially compared to what's actually reported.
Speaker 1
That's what you found being exploited. 52% were privilege escalation, and only 5% were
Speaker 3
remote code execution. Correct. That's what we found being exploited. And if you look at what's reported, it's flipped. So 36 percent of vulnerabilities in 2023 were reported to Microsoft or remote code execution. You guys talk about risk and what do we patch, what do we not patch. It's fairly easy. Let's say for a CISO or for an organization to be like, oh, CVS score greater than eight is an emergency patch or something like that, whatever. I think what I've seen over the years in consulting is that a lot of organizations say for whatever reason, 8.6. 8.6 and above is like, we have to patch it anything lower is optional or not as critical or whatever that motion may be. And unfortunately, those elevations of privilege vulnerabilities, they don't meet that metric if you're going by CPSS.
Speaker 1
No, they usually don't get to anywhere close to an 8.6.
Speaker 3
No, a lot of them are in the fives. Some make it to six, but most of them are in the fives. Looks like Josh is probably here. Yeah, well, I mean, the comment
Speaker 6
of like, they're in the fives is totally true and then you chain mediums and either it's a medium that gets you to something that then becomes the equivalent of a nine or a 10. Exactly. Just as you were pointing out, or you chain three mediums together and all of a sudden, again, you've got the equivalent of a nine or a 10. And the scoring system just simply doesn't account for it.
Speaker 4
So
Speaker 6
I
Speaker 3
mean, obviously, you've
Speaker 6
got ideas on how to fix that.
Speaker 3
Well, I'm not going to say I've got ideas on how to fix all of CVSS. I think CVSS should be, is a great metric. And I'm not one of those people that say like we should never use CVSS. I think metrics in general are useful and they're not going to be perfect, right? They're a model. George Box used to say, there's a famous quote about all models are wrong, but some are useful. And we're trying to make for ones that are useful. But to me, it's the we can't trust it to be the ground truth of everything and take it as like, that's how I'm going to choose to run my business from a security perspective. It's not like ignore CDSS. It's a data point, it's not the data point. Exactly. I think that's the important message is it's a data point not the data point. And I think that's what we need to think about as an industry.
Speaker 1
So coming off this research, right? You looked at all these different pockets of data. They were the vulnerabilities that Microsoft disclosed. There was the percentage of people patching them. And then you overlaid what's actually being exploited in the wild. And the big takeaway is like overwhelmingly use in the wild folks, attackers are going after local privilege escalation in Windows systems.
Speaker 3
Yeah. And the other thing is, you know, if you want to, oh, maybe that was just 2023. We've now done the analysis on the first half of 2024. And it's, yeah, we just released this yesterday in our threat report, we put an update to this research. And it's 43% our elevation of privileges and 14% our remote code execution. And believe it or not, here's the other here's the other kicker. The other 43% security feature bypass. So that's, I mean, again, that's what it's showing right now. So that means 86% are either elevation of privilege or security feature bypass in the first half of 2024.
Speaker 1
And security feature bypass likely speaks to the majority of those being, I'm already on the system. Exactly.
Speaker 3
To me, it says the same thing. It says exactly the same thing.
Speaker 1
But now then in terms of what people are patching, people are not patching local privilege escalation at the rate they're patching remote code execution. You've dated it back that statement up, right? I
Speaker 3
don't have concrete data to say what people are patching because Microsoft hasn't released that publicly. I can infer what people are patching based on what's working. But clearly, if they were patching Elevation and Privilege and Security Feature Bypass, then the exploit wouldn't work. So that's kind of the way I would infer that information. But to answer your question directly, I do not have any specific data that says X number of people have patched this. That would be with Microsoft.
Speaker 1
And you and I are on the same page, right? Because we both believe that, yeah, it's probably people are not patching those things.
Speaker 3
I mean, it kind of has to be or the patch doesn't work as the other and that's the worst conclusion.
Speaker 1
Yeah, if the attackers are exploiting it, right, it's ancillary evidence that people are not patching it. I gotcha. Yeah. This is a dangerous place we are right now though. Tug. No. Well, I mean, I'm late at all. I mean,
Speaker 3
it goes, it goes up both directions. You know, you can say like, Oh, well that's being leveraged cause it's not being patched. Right. So, okay. We need to patch it. But then, then we run into the problem. Then what do we don't patch? And it's like, well, we need to patch everything is the moral of the story.
Speaker 1
Yeah. Which is hard to hit. People hate it when I say they need to patch everything. I don't want to put words in your mouth, but like any of us say that people get really upset. They do. Because it's a monumental task to accomplish. Is
Speaker 3
that why? I think patch everything is different depending on your vertical and your device. I think from a Microsoft perspective, Microsoft's made it almost easier than any other company out there as far as the verticals of patch everything and most of their systems pretty resilient to patching. So I think it's an easier conversation on Microsoft. I don't think it's, you're still going to have, where I'm going to go with the other side of this is, you guys like to talk about IoT and firmware and things like that. That's a much harder conversation when we talk about patching everything. Especially when you get into real-time systems and you get into critical systems. Yeah, not to talk about CrowdStrike, but there's a failure in that patch is even worse than what we potentially saw if it's a health system or it's an infrastructure system. So that is a complicated conversation. In fact, you can break regulations. When I did that, I talking about that medical research at the beginning here, when I did that with Philippe. One of the challenges that infusion pump company had was to patch it, they had to redo like FDA certification process. Like it broke the patch would break some of that. And like, that's like a year long process in some case. And then how do you beat that challenge? So I think it's naive of us as security researchers to say it's as easy as to patch everything. I do think it's a complicated conversation. I do think when it comes to Microsoft and Windows, it is probably the, I'll go on a limb and say it's probably the easiest section of the industry to patch everything. And you still have an issue where you could have critical infrastructure that you're dealing with and you still have embedded systems.
Speaker 1
Oh yeah, I mean we saw that last week. I think the effects were still rippling, but is it easier? I believe, and I'm not as close to the Windows side of things, but I find it, like in my view, that it's easier to roll back a Windows patch than it is to roll back something on a device or IoT device. I
Speaker 3
would agree with that. And I think that has a lot to do with the way Microsoft's evolved their system over the year. I mean, shoot, I don't know if it's still true. I haven't tested it. But I think it was with Windows 10, you could still run like the original Doom or was it Windows 8 or something like that. You could still run Doom for Windows 3.1 because of the way they built the backwards compatibility into their system, which is crazy. But I think that goes to why you can still, like why rolling back is essentially easier in Microsoft. I'm making a little bit of a conjecture there. I don't have data on that. Sure.
Speaker 4
Bill? I have a real quick question. I kind of want to circle back to your research. How does that, so whatever the number was, the 900, you know, vulnerability is released by Microsoft. How does that break down RCE versus LPE before we add in CISA. So like, so if you know what I mean, like, so is it truly just because there's more like local privilege escalation vulnerabilities to be exploited? No,
Speaker 3
the opposite actually. Great question. So it's a fantastic question. So the, you can look at this in the blog that we released, the 911 vulnerabilities, 36% were remote code execution. 26% were elevation of privilege. So there's less elevation of privilege than remote code execution. And then we talk about security feature bypass, that's only 12%. Again, this is 2023. So the numbers only get smaller from there. They don't get bigger. So the largest portion was remote code execution, and it was only 5% of what was executed. I think
Speaker 4
what you're telling me is that hackers are preferring to hack humans these days. All I got to do is land on that box and then start shocking. You know?
Speaker 3
I mean the way I put it is initial access isn't the problem. Right. That's easy for them. To get on your box is not the problem. How do I get privileged access on your box is where it becomes more of a challenge for them, which is why they're digging into these exploits. You know,
Speaker 1
most penetration testers today will say like, they're not sitting there going, yeah, we, we really go at great lengths to find zero day vulnerabilities and write exploits for remote code execution vulnerabilities to gain a foothold. That's not what they say. They say, I send an email and I fish someone, I get caught execution on their box. And then the game is jumping around without getting caught. Right. And it's essentially the game.
Speaker 3
And the big transparent, that's why I stopped doing penetration testing. Yeah. I got bored sending emails. Like that's right. Right. That's that got not interesting. And I also again, I like to give credit where it's due. But when I was doing this 15 years ago, a remote code execution vulnerabilities on Microsoft was a lot of fun because it was not hard. Right. Trying to do that same thing today on Windows 10 or Windows 11, like, good luck. Like it's out of my league to be honest, right? Like it is super complicated with the evolution of the mitigations they've put in place and the way they've evolved the stack and CFT and all that stuff, right? So, I give you some credit for that. Amazing. MSO 8067 was amazing. Yeah, it was perfect. We'd leverage that for a long time. 10,000 shells on all the machines in the organization in no time,
Speaker 2
right? Yeah. Yeah. By 2012. In 2012. Yeah, I'm seeing 2012,
Speaker 6
four years after the patch came out.
Speaker 2
Well,
Speaker 6
come on. I mean, Mubik's had the for a MSO eight Oh six seven for 10 years. Yup. After it came out. He's like, I'm still using it. Every time I'm like, are you still finding that out there in the wild? He goes, every month I find somebody with it and I celebrate with the cake. Yeah. It got less and
Speaker 1
less, but all you need is one. Yep. I mean, just like fishing, all you need is one user to click the link or download the attachment. I
Speaker 3
guess I said I got out of that like red teaming, Pinterest and type of work, but the last time I was doing it was in 2014. And I kid you not, I used MS-067 at a hospital.
Speaker 4
I think I would not be surprised if you could do that same thing right now in a hospital. I would either. That technology has changed much since then.
Speaker 1
Wow. So, coming off the data in your report, Doug, what's your advice to organizations today? I think my biggest
Speaker 3
advice is sort of what we talked about, which was don't use the CVS-esc or as your single data point for what you decide to patch. I think staying on top of what the threat actors are using, so basically what I'm going with here is stay informed. If you need to look at threat research feeds, you need to look at threat data coming and crowd from all different researchers and not just vendors. I also think it's important. And this is somewhat controversial, I suppose, but if you're part of a major breach, whether it's the latest ticket master breach or latest AT&T breach or whatever you have you. I think publishing. being transparent and publishing the facts on how that happened and how they moved throughout your network, obviously sanitizing proprietary information and things like that. But obviously, joking aside, if they use MS0867, you should publish that and say, this is the thing that's still being used by attackers. That's not proprietary information. And the more we can have that information out there, the more that we can be informed. So that's my first recommendation. It's embarrassing though.
Speaker 4
Yeah, it's embarrassing. And I
Speaker 3
think that, you
Speaker 4
know, like, I think publishing, that's, that I think embarrassing and scary is a best way of saying that. But connecting with IC3 and giving that information at least so that it makes it to Sisa, right? It would be good. Sure, right and you and then you don't have to have a public blog telling people that you know Hey, I got hit with a 20 20 year old, you know, whatever and you know, so Like but yeah, I agree with that Sorry, you had a second point. I cut you off. I apologize.
Speaker 3
Yeah.

Get the Snipd
podcast app

Unlock the knowledge in podcasts with the podcast player of the future.
App store bannerPlay store banner

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode

Save any
moment

Hear something you like? Tap your headphones to save it with AI-generated key takeaways

Save any
moment

Hear something you like? Tap your headphones to save it with AI-generated key takeaways

Share
& Export

Send highlights to Twitter, WhatsApp or export them to Notion, Readwise & more

Share
& Export

Send highlights to Twitter, WhatsApp or export them to Notion, Readwise & more

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode