Microsoft fixed a bumper crop of software vulnerabilities in 2014, overwhelmingly remote code execution (RCEs) exploits in the Internet Explorer family, a new analysis by security firm ESET has confirmed.
On a brighter note, the complex security measures Microsoft introduced to secure Windows 7 and Windows 8 have raised the level of effort required to launch successful attacks on users, the firm said.
Discerning trends in Windows Exploitation 2014 requires a steady eye, with the number public vulnerabilities in Win32, .NET, Office, and various User Made Components (UMC) all at relatively low levels. The number of dangerous kernel-mode flaws was also very low.
Comparing the firm’s 2013 vulnerability analysis with 2014’s figures shows that these all categories fell significantly during the year, the glaring exception being Internet Explorer version 6 through 11 where flaw numbers doubled to around 240.
The authors don’t come up with a reason for this so we will do so for them – the age and number of supported versions makes Internet Explorer is a plum target for attackers hunting down flaws in code. Given the number of vulnerabilities being recorded, it’s an approach that is clearly working.
As the report makes clear, Microsoft has devoted considerable efforts to fighting back but must struggle against the sheer complexity of the code base it is tending.
Techniques included older ideas such as Address Space Layout Randomization (ASLR) and Data Execution Prevention, which go back to Vista and Windows XP SP2 respectively, as well as more recent innovations including IE 10’s Enhanced Protection Mode (EPM), EMET 5.1 and Out-of-Date ActiveX control blocking that stops older and vulnerable software plug-ins being called during attacks.
Although attackers could find ways around each of these layers, the cumulative effect was having some positive effect.
“Ultimately, the improved mitigations against RCE-exploits lead to increases in the cost of exploit development,” concluded Russia-based ESET researcher, Baranov Artem.
“Attackers need more money and time for investigating new vulnerabilities that can help to bypass improved anti-exploit security features. Today, they need a set of two or even three exploits to penetrate into the system and get full control under computer.”
The problem, of course, is that Windows today is a collection of old and new bits of code going back more than a decade and this complexity offers attackers too many ways in. With Windows 10 due to launch a new raft of security layers later this year, this complexity will be with us for some time to come.