Risk
3/31/2011
12:09 PM
Connect Directly
RSS
E-Mail
50%
50%

Microsoft Blames Poor Development Practices For Security Risks

Windows and Internet Explorer are at greater risk of attacks because developers don't use mitigation technologies built into the software, said Microsoft.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Too few applications and browser plug-ins are implementing attack-blocking security mechanisms built into Windows and Internet Explorer.

Microsoft made that assertion in "The SDL Progress Report," released Wednesday, which details the evolution of the company's security development lifecycle, used internally, as well as the uptake of mitigation technologies that Microsoft makes available to developers.

Two of those mitigation technologies are Data Execution Prevention (DEP), which helps prevent attackers from executing arbitrary code, and address space layout randomization (ASLR), which makes it difficult for attackers to locate objects, such as DLL files, that they might use to create a successful exploit.

But when Microsoft studied 41 of the most popular and latest consumer applications -- from Microsoft and others -- it found that while 71% of applications fully enable DEP, only 34% of applications fully enable ASLR. Furthermore, 70% of surveyed browser plug-ins don't implement ASLR, while only 20% of surveyed security products fully implement ASLR. As a result, those products and plug-ins, and by extension also IE and Windows, are at greater risk of attack.

Poor uptake of DEP and ASLR might be less of an issue if more organizations pursued secure development practices, which would independently help organizations avoid many of the bugs that DEP and ASLR attempt to block. Yet many organizations don't factor security into their software development lifecycle, which leaves their code at greater risk of being exploited by attackers.

Blame ignorance. "Awareness of security development practices is pretty low, and unfortunately if it's low, that gives criminals a potential advantage," said David Ladd, principal program manager for Microsoft's SDL group, in an interview. "That said, the business decision-makers we've talked to who are aware of security development processes, they need some assurance of ROI."

Secure development -- aka security development -- offers excellent ROI, or return on investment, said Ladd. For example, the average cost required to mitigate and fix a security issue, based on a 2010 report from Aberdeen Group, is $300,000 per vulnerability, per incident, he said. Compare that to the average cost of running a security software program in a development organization, which is $400,000 per year. "So at that point, a single security issue . . . nearly offsets your entire investment in the secure development software lifecycle," he said.

Here's an example of secure development at work: At the PWN2OWN 2011 contest held earlier this month at the CanSecWest conference, security researcher Stephen Fewer of Harmony Security chained together three vulnerabilities -- two for code execution, and another to escape IE's protected mode sandbox -- to successfully exploit the target machine via IE8.

But in the course of IE9 development, said Ladd, Microsoft had already independently identified and eliminated two of those bugs from the IE9 code base, which he offered as proof that taking the time to review code for security errors is a worthwhile pastime. "The reason we caught those two was not because of luck or serendipity, but because we did our homework and found out what the problem was," he said.

In other words, practicing secure coding techniques requires upfront investment, but produces results. "If people want to have a safer computing experience, then they need to invest up front to make sure the proper things are done to ensure security, for when it comes time to do business on the Internet," said Ladd.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2886
Published: 2014-09-18
GKSu 2.0.2, when sudo-mode is not enabled, uses " (double quote) characters in a gksu-run-helper argument, which allows attackers to execute arbitrary commands in certain situations involving an untrusted substring within this argument, as demonstrated by an untrusted filename encountered during ins...

CVE-2014-4352
Published: 2014-09-18
Address Book in Apple iOS before 8 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information by obtaining this UID.

CVE-2014-4353
Published: 2014-09-18
Race condition in iMessage in Apple iOS before 8 allows attackers to obtain sensitive information by leveraging the presence of an attachment after the deletion of its parent (1) iMessage or (2) MMS.

CVE-2014-4354
Published: 2014-09-18
Apple iOS before 8 enables Bluetooth during all upgrade actions, which makes it easier for remote attackers to bypass intended access restrictions via a Bluetooth session.

CVE-2014-4356
Published: 2014-09-18
Apple iOS before 8 does not follow the intended configuration setting for text-message preview on the lock screen, which allows physically proximate attackers to obtain sensitive information by reading this screen.

Best of the Web
Dark Reading Radio