When surveying the vulnerability landscape this year, one sees a move toward attackers exploiting flaws in services...
and protocols rather than in applications themselves.
Just a couple of years ago, the biggest targets were severe vulnerabilities in applications such as Microsoft's Internet Information Service (IIS) Web server. This year however, more flaws in services like RPC-DCOM, were exploited by worms.
There are some notable differences between vulnerabilities in services and in applications. The former can be more dangerous though they are generally harder to find and exploit, experts said.
"Finding security vulnerabilities in a Web server is fairly easy because the protocol of the web, i.e. HTTP, is a plain text protocol," said veteran vulnerability finder David Litchfield of Next Generation Security. "In other words, to find bugs all you need is a minimal understanding of the protocol and be able to type."
"On the other hand, things like DCOM-RPC require you to be able to program and understand a fairly complex protocol. It certainly requires much, much more effort on the part of the bug finder," Litchfield added.
In some ways, most of the easy bugs have been found in applications. For example, the obvious flaws in IIS, for example, have basically been found. "The low hanging fruit has been plucked," Litchfield said.
Vendors are also putting more work into finding flaws before shipping out their applications. "In other words, all the easy flaws are gone and it takes effort to find news ones," said Thor Larholm, senior security researcher with PivX Solutions in Newport Beach, Calif.
Echoing those sentiments, Drew Copley, a research engineer with eEye Digital Security of Aliso Viejo, Calif. said "Microsoft has hammered their applications, and there was not much attack surface there in the first place."
Vendors, security researchers or crackers don't explore services and protocols so much because they are complicated. "Our idea here has been that these old services remain buggy and probably have not been well looked at by Microsoft," Copley said.
The exploitation of service or protocol vulnerabilities is a double-edge sword. Creating the exploit code can be very difficult as many involve heap-based buffer overflows rather than the relatively easier-to-exploit stack-based overflows often found in applications, Copley said. In other words, it will take a hardcore programmer in many cases to exploit them. They are not the kinds of things script kiddies can tinker with.
There probably are not more exploits of service vulnerabilities because doing so is difficult. However, the danger posed by them is very high. "The possibility of gaining a root compromise is almost guaranteed when exploiting a service, where as an application level vulnerability is more often than not restricted in impact to the application itself," Larholm said.
Also, a vulnerable service or protocol may be found in dozens of applications hence they could be affected.
Yet Litchfield cautions that the increased attention to vulnerabilities in services is not part of a concerted plot. "It's not necessarily a move to services," he said. "The plain text stuff, be these servers or clients, is yielding fewer and fewer results and so the more complex stuff, in both servers and clients will gain more attention."
FEEDBACK: Now that attackers may be focusing on exploiting flaws in network services, how does this change your patching priorities?
Send your feedback to the SearchSecurity.com news team.