Microsoft Windows has become increasingly secure over the years, although the odd exploit still crops up from time to time. This is understandable, since the world’s most popular desktop operating system, entrenched in the enterprise for more than 25 years, ships on hundreds of millions of PCs every year and as such remains a magnet for cybercriminal attention. Much of the modern cybersecurity ecosystem has roots in tools that were first designed to mitigate the effects of malware, viruses and Web attacks against Windows machines.
The concept and execution of recent efforts to compromise Microsoft’s OS may be indicative of where cyberattacks are heading: toward discovery of critical and historically overlooked vulnerabilities and coordination of targeted attacks. Just think of, say, the deep and relatively ancient – at least in technological terms – flaws that were uncovered in GNU Bash (active for more than 20 years when it was found only this fall) and Heartbleed (present since around 2012). As Slate columnist and software engineer David Auerbach noted during the height of the Heartbleed story, there are probably plenty of years-old exploits out there that could become issues down the line. A recent, unusual Windows flaw has borne out this prediction.
Windows bug closed after 19 years in the wild: What it says about network security today
Remember Windows 95? It was a breakthrough – arguably the point at which the PC graphical user interface caught up with and even surpassed that of the Mac. It was the first version of Windows to have the Start menu and to support Internet access via Internet Explorer.
It was also, almost unbelievably, the original home of a remote exploit capability that was closed this November, 19 years after the fact. IBM researchers reported that the release code of Windows 95 exhibited the flaw and that it had been exploitable for the past 18 years[is it 18 or 19?], despite “hiding in plain sight” while other issues were addressed.
The damage from this particular problem doesn’t appear to be extensive, but it’s a warning sign of how old weaknesses are constantly being unearthed to fuel new targeted attacks. A post to the Trend Micro TrendLabs blog looked at how these flaws can be just as problematic as the zero-day exploits that have been grabbing headlines for a while now. Why aren’t they found or dealt with more quickly?
“Vulnerabilities are almost always patched by vendors, especially if the vulnerability is considered critical. But despite the existence of patches, not all users and organizations apply them or apply them immediately,” explained the authors. “One reason would be that applying the patch might disrupt operations. Or there might be a significant delay in applying the patches as the patches first need to be tested before being applied to corporate environments.”
On first glance, the patch angle doesn’t seem to apply to the Windows remote privilege escalation attack, since for years the issue wasn’t that patches were being neglected but that no one could pinpoint the actual vulnerability. A patch did come out this month, but it’s important to point out that it may not be a silver bullet since it doesn’t cover Windows XP, still the second most popular version of the OS after more than 13 years on the market.
The opportunity to effectively patch this flaw has passed, even if newer versions of Windows will benefit from having an age-old loophole closed. The slowness to act mentioned by the TrendLabs authors can apply, in a indirect way, to how IT departments spent years on Windows XP due to issues with cost containment and stability but now face network security issues related to the deal. Today’s cybersecurity environment necessitates swift action to keep up with targeted attacks.
Effectively dealing with targeted attacks
In this case, the majority of Windows users – i.e., ones with newer versions of the OS like Vista, 7 and 8/8.1 – were lucky in that the issue was so quickly patched after its revelation. Securing all devices in the enterprise from the problem, though, may take more time since every version of Windows Server from 2003 onward is vulnerable. As we’ve noted before, Windows Server 2003, like Windows XP, has remained stubbornly popular for years, especially in government.
What can CIOs and enterprise IT do to reduce their exposure to targeted attacks? Another TrendLabs post ran through some broad steps that could get companies on the right track to lowering the risk of having data stolen or systems compromised. The 19 year-old Windows bug, like many others that could potentially enable targeted attacks, allows for subtle bypass of security mechanisms, in this case the authentication processes that nominally ensure that only high-level personnel have access to core assets. A solution to this problem should promote vigilance and careful control of the network.
The TrendLabs authors pointed to four parts of a good anti-targeted attack strategy, one that would meet these requirements:
- Prepare: Establish what constitutes “normal.” Otherwise, it will hard to figure out what abnormal activity looks like.
- Respond: Tools such as network monitoring solutions allow for decisive action that contains a discovered threat.
- Restore: Getting back to normal is important in the wake of an attack. There must be clear communications about what happened and what is being done.
- Learn: Organizations must improve their practices after being attacked. Better patching and updating strategies are a start.
The Windows exploit described above is an outlier, with a persistence and power that is rare among such flaws. While many enterprises will never have to deal with this specific bug, they can take its discovery as an opportunity to reconsider how they think about targeted attacks. Curbing threats requires both constant, careful attention as well as quick action. A vulnerability may hang out in an OS for 19 years, but security teams can’t afford to wait so long.