Today Trustworthy Computing released new research that examines the long-term impact of security mitigations that Microsoft has implemented to address software vulnerabilities. This analysis is based on a study of security vulnerabilities that have been addressed through Microsoft security updates over a seven year period (2006 – 2012) and are known to have been exploited.  The study focuses on assessing trends in the types of vulnerabilities that have been exploited, the product versions that have been targeted and the exploitation techniques that have been used by attackers.

Some of the key findings from the new research paper released today, called “Software Vulnerability Exploitation Trends,” include:

• The number of remote code execution (RCE) vulnerabilities that are known to be exploited per year appears to be decreasing.
• Vulnerabilities are most often exploited only after a security update is available, although recent years have shown an upward trend in the percentage of vulnerabilities that are exploited before a security update is available.

Figure 1: Percentages of CVEs that were exploited before vs. after security updates were available

• Stack corruption vulnerabilities were historically the most commonly exploited vulnerability class, but now they are rarely exploited.  The use of stack corruption vulnerabilities declined between 2006 and 2012 from 43% of exploited vulnerabilities to 7%.

Figure 2: The distribution of CVE vulnerability classes for CVEs that are known to have been exploited

• Use after free vulnerabilities are currently the most commonly exploited vulnerability class.
• Exploits increasingly rely on techniques that can be used to bypass the Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR).

Figure 3: The number of CVEs that were exploited using specific exploitation techniques

There are plenty of other data points included in this new research that help us understand the factors that make exploitation of vulnerabilities more difficult.  Based on the research, the paper makes specific recommendations on how these factors can be influenced to help reduce the likelihood of exploitation and thereby help manage risk. 

This paper is recommended reading for people that are responsible for managing risk for their organization.  It can be downloaded from http://download.microsoft.com/download/F/D/F/FDFBE532-91F2-4216-9916-2620967CEAF4/SoftwareVulnerability Exploitation Trends.pdf

You might wonder why we conduct this type of research.  Many of the customers I talk to are interested in using software vulnerability counts as a measure of whether the industry and the software vendors they procure software from are getting better or worse at developing software that has fewer and less severe vulnerabilities.  We publish various vulnerability counts in the Microsoft Security Intelligence Report.  But simply counting vulnerabilities seems to assume that all vulnerabilities pose equal risk.  When we take a closer look at which vulnerabilities are actually exploited by attackers and how they are exploited, we can get a better picture of what’s really going on, which can inform how associated risks can be managed more efficiently. 

This research was conducted by the Microsoft Security Engineering Center (MSEC) and the Microsoft Security Response Center (MSRC).  The MSEC conducts some of the industry’s most advanced security science research.  This security science helps customers in three essential ways:

1. Helping to find software vulnerabilities.
2. Developing exploit mitigation techniques and tools that developers should adopt.  Security science research findings are used to inform the requirements and recommendations of the Microsoft Security Development Lifecycle (SDL), a mandatory part of the development process that every Microsoft product or service must implement. The goal is to make each new version of an operating system, browser or application harder to attack than previous versions, making it more difficult and costly for attackers to successfully develop effective malicious attacks.
3. Constantly monitoring threat trends and activity in the threat landscape and improving Microsoft tools and processes with the lessons learned. When this research determines that a new threat has entered the ecosystem, the MSRC and Microsoft’s response processes are engaged.

If you are interested in learning more about the MSEC and security science, please check out http://www.microsoft.com/msec.

Tim Rains
Director
Trustworthy Computing