CVE's, Vulnerabilities, etc vs. Real-World Actual Hits: Any Measures/Statistics?

Topic

New Reply

My original post got no reaction, so I’m putting it down here, so I guess this is a cross-post from:

https://www.askwoody.com/forums/topic/patch-lady-we-have-another-spectre-meltdown/

—

It would be interesting (if only to me, maybe) if someone did an unbiased study regarding CVE’s, Zero Days and other vulnerabilities vs. actual exploits for them found in the wild on a percentage basis, broken further down by:

Attack surface:

A) DNS servers

B) Enterprise Level Machines and Servers

C) Small Business Level

D) Home user Level (C and D are sometimes very similar.)

The reason I ask this question is I really want to know how much damage has been inflicted, and at what level(s) over the years. I did some research, but turned up very little that was specific.

Now this statement may tweak a few noses, but there’s an awful lot of money being made by spreading FUD among the general public by makers of AV and Anti-Malware products, as well as on-line Security Pubs, tho bless ’em, most are not hysterical over-reactors. (I think.).. Having been inside a Marketing Department several times in my life, it just makes me wonder. Most vendors are probably not over-hyping (I hope). But…”Who will guard the Guardians”?

(Conclusions would be hard to draw, since severe CVE’s get patched, making them unattractive, and even if they are, the smaller fish down the food chain just aren’t worth the effort it takes to bring off a successful exploit.)

But I wonder if anyone’s ever done a study on this. Natch, no one wants to play against the house, so to speak; I just wonder if a study like this has ever been done. I don’t expect to find Stuxnet on my machine, but it would be valuable to weigh the AV/Anti-Malware Vendors of the world and Security columnist drum-beating vs. the actual damage inflicted, and at what level, over the years.

(For C and D above, the variables in user sophistication might render such a study useless.)

Thoughts?

(Helmet on, dives in trench.)

Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Greenhorn
--
"The more kinks you put in the plumbing, the easier it is to stop up the pipes." -Scotty

2 users thanked author for this post.

Bertram Pincus, geekdom

Reply | Quote

Replies

No doubt a paper would generate a doctorate in computer science.

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

1 user thanked author for this post.

Nibbled To Death By Ducks

Reply | Quote

Truly…and I had to go off and be a Humanities/English Major…which explains why I’m always broke! I should have been an Engineer, or wafted myself off to The Ivory Tower Land of .edu…(where, I hear, the scratching and scrabbling is almost as bad as the commercial world…but then there’s tenure, great bennies, and decent pay…at least in Europe…but it’s “publish or perish”. Well, “The grass is always greener”…even with “Ivy covered professors, in Ivy covered halls…” [Thanks to Mr. Lehrer.])

Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Greenhorn
--
"The more kinks you put in the plumbing, the easier it is to stop up the pipes." -Scotty

Reply | Quote

One My experiences is this. The Pain called Vundo. Was using Avast at the time and this was before Avast knew about Vundo (no definitions yet for Vundo). I learned that day to NEVER truth just one ANTIVIRUS to protect you, as Virus Total did have ONE result that did see the pain. Home Computer and lots of fun getting rid of it. Probably using XP at the time.

1 user thanked author for this post.

Nibbled To Death By Ducks

Reply | Quote

dont run more than one AV ‘live’ in Windows.  You’re asking for trouble, for eg., RSA machine key exponential growth, or say AV1’s definition of XyZworm causing AV2 to flag & inadvertently affect/infect a machine.  Sandbox or VM/VMr is best way to hedge your bet against using IT  😛

 

*Our best safeguard on the application side is our collective checks/balances (open source -did IBM buy RedHat?).  Hardware is a diff. can of worms

https://seekingalpha.com/article/4138355-intel-inside-sold-intel-bought-ibm

1 user thanked author for this post.

Nibbled To Death By Ducks

Reply | Quote

“Dont run more than one AV ‘live’ in Windows.”

Yeah, I follow that. I run MSE, and keep Malwarebytes NOT running, as I might want to use my memory for something… 🙂

But I DO take it out and run it weekly after MSE to see if MSE missed anything.

I got clobbered ONCE many years ago by piece of nastyware 2 hours BEFORE Eset issued a definition for it; it was running rampant globally.

Which is another reason AV and Malware dete ctors relying on “Definitions” alone has got to change. Big challenge.

Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Greenhorn
--
"The more kinks you put in the plumbing, the easier it is to stop up the pipes." -Scotty

Reply | Quote

https://www.techsupportalert.com/best-free-windows-desktop-software.htm?page=7

“Use one (and only one) antivirus program for real-time protection.”

As a rule if I find a computer likey to have a virus. I scan with at least FIVE programs. and if any one of them finds something then I add another. There are:

Malwarebytes ( install, scan rescan until nothing is found, uninstall)
Online scan with Eset
AdwCleaner
Hitmanpro
Junkware Removal Tool

And for example lets say you only use defender. Well look at this:

https://www.bleepingcomputer.com/news/security/new-trickbot-version-focuses-on-microsofts-windows-defender/

“A new version of the TrickBot banking Trojan continues its evolution of targeting security software in order to prevent its detection and removal. In this new version, TrickBot has set its sights on Windows Defender, which for many people is the only antivirus installed on a Windows 10 machine.”

So by only using Defender, you could be infected and not even know it. Alway best (IMO) to check with at least another NON REAL TIME antivirus!

Reply | Quote

Top notch post!  I’ve thought about it a few times today since first reading it.  We’re kind of in new, unchartered waters today with the kernel/side-channel possible exploits (the 40+ drivers is in there too).  This is what intrigues me, while also off-putting and a little scary -all groups, A-D, wouldn’t likely know until it’s too late.   Hypothetically, let’s say 10% manifested in the wild, across the board, all groups until 2018.  Post 2018+/-, will we have accurate data and reference points -or will machines be running NSA, Chinese, Blackhat (you choose) botnets unbeknownst to their users?  We’ve seen a transition to exploiting the hardware side, which ofc is a little scarier given end users have less control.  When Intel’s CEO sells-off his stock a week before the first mention of Spectre/Meltdown we should have known times are changing.  Building the inpentrable fortress is 1billion times more difficult than trying to sniff out exploits.

Back to point: IME is weird to me, anyone else, Bueller?  There’s a lot of money being made in selling new CPUs/hardware! (as well as AV/AM protection, as you noted -but the AV/AM grift is becoming more obsolete/useless against spectre/meltdown, bunk drivers out of the box, e.t.).

1 user thanked author for this post.

Nibbled To Death By Ducks

Reply | Quote

An excellent question – and one that’s hard to define.

Best info I have is in my “Knee Jerk” article in Computerworld. https://www.computerworld.com/article/3402718/the-case-against-knee-jerk-installation-of-windows-patches.html

There is one Microsoft study that doesn’t directly address your questions, but hints at them broadly.

1 user thanked author for this post.

Nibbled To Death By Ducks

Reply | Quote

The Boss said, “An excellent question – and one that’s hard to define.”

Yeah, I know, sorry…one day back when dinosaurs roamed the Earth, a teacher looked at me and said, “(expletive), why do you have to ask the hard questions?” :/

Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Greenhorn
--
"The more kinks you put in the plumbing, the easier it is to stop up the pipes." -Scotty

Reply | Quote

[Microfix]

? says:

is the “Windows CTF text Vulnerability,” info in post # 1907609 of any concern? or more scare mongering?

https://googleprojectzero.blogspot.com/2019/08/down-rabbit-hole.html

i disable ctfmon

• This reply was modified 5 years, 7 months ago by Microfix.
• This reply was modified 5 years, 7 months ago by PKCano.

Reply | Quote

? says:

sorry the post # is 197609 in “Big Bunch of Bad Drivers,” and the link goes to zdnet 8/13/2019. the project zero article by Tavis Ormandy demonstrates the vulnerability in Windows Text Services Framework. from the included demo videos it looks like it can be used to get system privileges in seconds. i’m wondering if this just another window’s bug of if it is something to keep track of?

Reply | Quote

[geekdom]

Here’s a theory that would create a paper and form the basis for research that proves or disproves the theory.

There are several types of invasive malware:

• Malware that can be addressed by your anti-virus software. This prevention is easiest to apply by keeping your anti-virus definitions up-to-date.
• Bugs and holes introduced by other software and patches as a result of the knee-jerk reaction described by Woody Leonhardt: https://www.computerworld.com/article/3402718/the-case-against-knee-jerk-installation-of-windows-patches.html
  This type of invasion is harder to prevent and in the event of infection, much harder to cure. It’s also more wide-spread than the first instance. To patch or not to patch? You have some control.
• Private-information hack due to third-party failure to protect such information. In this case, the hack isn’t known until much later, may not be publicly disclosed, and affects a large number of people with dire consequences. You have no control over prevention, and subsequent damage control is extensive.

In the three cases, severity increases while your ability to limit the hack decreases. And that’s where the research enters. Based on a statistical and reasonable sample and analysis, is this hypothesis true? What conclusions may then be drawn?

Also of interest, what is the percentage of each case?

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

• This reply was modified 5 years, 7 months ago by geekdom.
• This reply was modified 5 years, 7 months ago by geekdom.

1 user thanked author for this post.

Nibbled To Death By Ducks

Reply | Quote