Risk
3/31/2011
12:09 PM
50%
50%

Microsoft Blames Poor Development Practices For Security Risks

Windows and Internet Explorer are at greater risk of attacks because developers don't use mitigation technologies built into the software, said Microsoft.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Too few applications and browser plug-ins are implementing attack-blocking security mechanisms built into Windows and Internet Explorer.

Microsoft made that assertion in "The SDL Progress Report," released Wednesday, which details the evolution of the company's security development lifecycle, used internally, as well as the uptake of mitigation technologies that Microsoft makes available to developers.

Two of those mitigation technologies are Data Execution Prevention (DEP), which helps prevent attackers from executing arbitrary code, and address space layout randomization (ASLR), which makes it difficult for attackers to locate objects, such as DLL files, that they might use to create a successful exploit.

But when Microsoft studied 41 of the most popular and latest consumer applications -- from Microsoft and others -- it found that while 71% of applications fully enable DEP, only 34% of applications fully enable ASLR. Furthermore, 70% of surveyed browser plug-ins don't implement ASLR, while only 20% of surveyed security products fully implement ASLR. As a result, those products and plug-ins, and by extension also IE and Windows, are at greater risk of attack.

Poor uptake of DEP and ASLR might be less of an issue if more organizations pursued secure development practices, which would independently help organizations avoid many of the bugs that DEP and ASLR attempt to block. Yet many organizations don't factor security into their software development lifecycle, which leaves their code at greater risk of being exploited by attackers.

Blame ignorance. "Awareness of security development practices is pretty low, and unfortunately if it's low, that gives criminals a potential advantage," said David Ladd, principal program manager for Microsoft's SDL group, in an interview. "That said, the business decision-makers we've talked to who are aware of security development processes, they need some assurance of ROI."

Secure development -- aka security development -- offers excellent ROI, or return on investment, said Ladd. For example, the average cost required to mitigate and fix a security issue, based on a 2010 report from Aberdeen Group, is $300,000 per vulnerability, per incident, he said. Compare that to the average cost of running a security software program in a development organization, which is $400,000 per year. "So at that point, a single security issue . . . nearly offsets your entire investment in the secure development software lifecycle," he said.

Here's an example of secure development at work: At the PWN2OWN 2011 contest held earlier this month at the CanSecWest conference, security researcher Stephen Fewer of Harmony Security chained together three vulnerabilities -- two for code execution, and another to escape IE's protected mode sandbox -- to successfully exploit the target machine via IE8.

But in the course of IE9 development, said Ladd, Microsoft had already independently identified and eliminated two of those bugs from the IE9 code base, which he offered as proof that taking the time to review code for security errors is a worthwhile pastime. "The reason we caught those two was not because of luck or serendipity, but because we did our homework and found out what the problem was," he said.

In other words, practicing secure coding techniques requires upfront investment, but produces results. "If people want to have a safer computing experience, then they need to invest up front to make sure the proper things are done to ensure security, for when it comes time to do business on the Internet," said Ladd.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8551
Published: 2014-11-26
The WinCC server in Siemens SIMATIC WinCC 7.0 through SP3, 7.2 before Update 9, and 7.3 before Update 2; SIMATIC PCS 7 7.1 through SP4, 8.0 through SP2, and 8.1; and TIA Portal 13 before Update 6 allows remote attackers to execute arbitrary code via crafted packets.

CVE-2014-8552
Published: 2014-11-26
The WinCC server in Siemens SIMATIC WinCC 7.0 through SP3, 7.2 before Update 9, and 7.3 before Update 2; SIMATIC PCS 7 7.1 through SP4, 8.0 through SP2, and 8.1; and TIA Portal 13 before Update 6 allows remote attackers to read arbitrary files via crafted packets.

CVE-2014-1421
Published: 2014-11-25
mountall 1.54, as used in Ubuntu 14.10, does not properly handle the umask when using the mount utility, which allows local users to bypass intended access restrictions via unspecified vectors.

CVE-2014-3605
Published: 2014-11-25
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-6407. Reason: This candidate is a reservation duplicate of CVE-2014-6407. Notes: All CVE users should reference CVE-2014-6407 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2014-6093
Published: 2014-11-25
Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 7.0.x before 7.0.0.2 CF29, 8.0.x through 8.0.0.1 CF14, and 8.5.x before 8.5.0 CF02 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?