Microsoft security engineer Matt Miller told a conference recently that over the last 12 years, around 70 percent of all Microsoft patches were fixes for memory safety bugs.
Memory safety issues describe a wide range of vulnerabilities, including buffer overflow, race condition, page fault, null pointer, stack exhaustion, heap exhaustion/corruption and use after free, or double free.
Indeed, the vector has become the biggest attack surface for hackers today, and Miller's presentation at the BlueHat security conference in Israel flagged this fact, going on to explain that use after free and heap corruption vulnerabilities continue to be preferred by attackers developing exploits.
Miller also pointed to the significant challenges that developers face when mitigating vulnerabilities today, firstly due to simple volume.
"Most of the vulnerability classes that existed 20 years ago still exist today – developers are still making the same mistakes," he told delegates.
Secondly, developers are expected to identify and prevent vulnerabilities, but often lack the correct tools to do so, said Miller, also pointing out that in spite of decades of effort by numerous individuals, the number of vulnerabilities found and fixed continues to rise.
The presentation has been broadly well-received, with Project Zero team lead Ben Hawkes welcoming the tone and conclusions:
Excellent presentation. My perspective upon reading this: there is a level of acknowledgement on the limits of exploit mitigations here that I haven't seen from Microsoft in the past, and the resulting "strategic shifts" look very positive. https://t.co/5Rz0m1ej8n— Ben Hawkes (@benhawkes) February 8, 2019
The Microsoft engineer noted an ongoing trend towards zero-day attacks, saying, "If a vulnerability is exploited, it is most likely going to be a zero day. It is now uncommon to see a non-zero-day exploit released within 30 days of a patch being available…"
(Graphic: Matt Miller)
In response, Ben Hawkes struck a note of caution on Twitter. "In the browser at least, the technological advance of exploit mitigations has stalled at both reverse edges (protecting returns) and data-based attacks," he said. "I'd argue that the state-of-the-art for exploit development is ahead of the curve for now – we have generic approaches to exploiting browsers that are unlikely to be resolved in the near future."
However, on a more upbeat note, Miller did note several positive strategic shifts in favour of the defenders, including widespread changes to make unsafe code safer and transition steps to safer languages. In addition, he noted that as vulnerability patching and prevention had become more effective, this had pushed up the costs of vulnerability exploits for hackers, which had in turn caused a rise in other vectors such as social engineering and password spraying. "It’s important to remember that there are other threats [in addition to vulnerabilities]", he summarised.
Martin Jartelius, CSO at Outpost24, agreed, telling SC media UK that this wider perspective is often overlooked: "This is a matter of perspective. In an operating system, yes, the main attack surface is the memory management, but that’s also because control of execution is depending on the memory. The main attack surface for someone targeting an application directly, or a server, is to actually infiltrate from within the applications outdated software or exploit any weak or default credentials. Often, segmentation of components is missing while hackers rely on the poor security awareness from enterprise employees. We use the term "the attack surface" rather carelessly as everyone transpose this to suit their own limited domain in security…"
Matt Miller’s full BlueHat 2019 presentation ‘Trends, challenge, and shifts in software vulnerability mitigation’ is available for download from GitHub.