The best magazine
Microsoft gets beaten up quite often for both the frequency and severity of the vulnerabilities that are discovered in their operating systems and applications.
Microsoft vulnerabilities were successfully exploited by such high-profile threats as SQL Slammer and MSBlast which continue to circulate and cause problems for the unpatched and unprotected.
It has been a point of debate for a while, and even more so lately, whether security researchers should publicly disclose the code to exploit a vulnerability when announcing the discovery of a vulnerability (see Disclosing Exploit Code). Historically it was a practice followed to prove to the world that you had in fact discovered a flaw. In other words, if you didn't demonstrate exploitation of the vulnerability how could anyone trust or believe you had in fact discovered a vulnerability?
There is a more or less unwritten code of ethics that says security researchers must notify the vendor of the flawed application and give them a reasonable amount of time to create a patch or update to fix the flaw before they publicly disclose the discovery. During that time, whether its 1 week or 1 year, the vulnerability still exists for anyone to find and exploit and the only thing "protecting" users of the vulnerable product is security through obscurity (see: Security Through Obscurity).
So- during this security by obscurity period- why aren't these vulnerabilities found and exploited? In February Microsoft released Security Bulletin MS04-007 which addressed a critical vulnerability in Microsoft's implementation of the ASN.1 protocol. This flaw, which had been reported to Microsoft by eEye Digital Security eight months earlier, has been declared by some to be the biggest hole in the Windows operating system yet. Hackers, crackers and other malcontents had eight months while Microsoft and eEye kep this flaw secret in which to find and exploit it before the patch was released. Why didn't they?
It seems that the developers of exploits and other malware are a little lazy. While security firms dig through every line of code looking for the next big flaw on which to hang their hats and their reputations and market their security expertise to the world- the hackers aren't as motivated to do so. Why spend all that time trying to fing the holes if someone else will do that for you?
Instead of sifting through millions of lines of code looking for the holes, it seems like most, if not all, malicious developers wait for the vendor- particularly Microsoft- to release the patch first. By reverse engineering the patch they can find out exactly where the flaw is and how the vendor repaired it. The patch provides an enormous amount of detail about the flaw and allows a malicious developer to learn where the weak spot is so they can exploit it.
The challenge is that the timeframe from patch release to exploit release is decreasing to almost nothing. The bad guys have better and faster tools that allow them to decompile and debug the patch and create and package an exploit much faster than in years gone by. The user community gets a slight edge in that the patch is almost always released before the exploit, but they must be diligent to apply the necessary patches quickly before they become a victim of the exploit.
For more information about this phenomenon I recommend you read this article by Mark Ward on the BBC News web site: Hackers exploit Windows patches.
Source: ...