News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • CVE's, Vulnerabilities, etc vs. Real-World Actual Hits: Any Measures/Statistics?

    Posted on Nibbled To Death By Ducks Comment on the AskWoody Lounge

    Home Forums Outside the box Rants CVE's, Vulnerabilities, etc vs. Real-World Actual Hits: Any Measures/Statistics?

    This topic contains 12 replies, has 5 voices, and was last updated by  anonymous 2 days, 7 hours ago.

    • Author
      Posts
    • #1907387 Reply

      My original post got no reaction, so I’m putting it down here, so I guess this is a cross-post from:

      Patch Lady – we have another Spectre/Meltdown

      It would be interesting (if only to me, maybe) if someone did an unbiased study regarding CVE’s, Zero Days and other vulnerabilities vs. actual exploits for them found in the wild on a percentage basis, broken further down by:

      Attack surface:

      A) DNS servers

      B) Enterprise Level Machines and Servers

      C) Small Business Level

      D) Home user Level (C and D are sometimes very similar.)

      The reason I ask this question is I really want to know how much damage has been inflicted, and at what level(s) over the years. I did some research, but turned up very little that was specific.

      Now this statement may tweak a few noses, but there’s an awful lot of money being made by spreading FUD among the general public by makers of AV and Anti-Malware products, as well as on-line Security Pubs, tho bless ’em, most are not hysterical over-reactors. (I think.).. Having been inside a Marketing Department several times in my life, it just makes me wonder. Most vendors are probably not over-hyping (I hope). But…”Who will guard the Guardians”?

      (Conclusions would be hard to draw, since severe CVE’s get patched, making them unattractive, and even if they are, the smaller fish down the food chain just aren’t worth the effort it takes to bring off a successful exploit.)

      But I wonder if anyone’s ever done a study on this. Natch, no one wants to play against the house, so to speak; I just wonder if a study like this has ever been done. I don’t expect to find Stuxnet on my machine, but it would be valuable to weigh the AV/Anti-Malware Vendors of the world and Security columnist drum-beating vs. the actual damage inflicted, and at what level, over the years.

      (For C and D above, the variables in user sophistication might render such a study useless.)

      Thoughts?

      (Helmet on, dives in trench.)

      Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", Group "Wait for the all-clear", Multiple Air-Gapped backup drives in different locations, "Don't check for updates-Full Manual Mode."
      --
      "...All the people, all the time..." (Peter Ustinov ad-lib from "Logan's Run")

      2 users thanked author for this post.
    • #1907525 Reply

      geekdom
      AskWoody Plus

      No doubt a paper would generate a doctorate in computer science.

      Group G{ot backup} Win7Pro · x64 · SP1 · i3-3220 · TestBeta · Microsoft Security Essentials
      1 user thanked author for this post.
      • #1908161 Reply

        Truly…and I had to go off and be a Humanities/English Major…which explains why I’m always broke! I should have been an Engineer, or wafted myself off to The Ivory Tower Land of .edu…(where, I hear, the scratching and scrabbling is almost as bad as the commercial world…but then there’s tenure, great bennies, and decent pay…at least in Europe…but it’s “publish or perish”. Well, “The grass is always greener”…even with “Ivy covered professors, in Ivy covered halls…” [Thanks to Mr. Lehrer.])

        Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", Group "Wait for the all-clear", Multiple Air-Gapped backup drives in different locations, "Don't check for updates-Full Manual Mode."
        --
        "...All the people, all the time..." (Peter Ustinov ad-lib from "Logan's Run")

    • #1907580 Reply

      anonymous

      One My experiences is this. The Pain called Vundo. Was using Avast at the time and this was before Avast knew about Vundo (no definitions yet for Vundo). I learned that day to NEVER truth just one ANTIVIRUS to protect you, as Virus Total did have ONE result that did see the pain. Home Computer and lots of fun getting rid of it. Probably using XP at the time.

      1 user thanked author for this post.
      • #1908174 Reply

        Bertram Pincus
        AskWoody Lounger

        dont run more than one AV ‘live’ in Windows.  You’re asking for trouble, for eg., RSA machine key exponential growth, or say AV1’s definition of XyZworm causing AV2 to flag & inadvertently affect/infect a machine.  Sandbox or VM/VMr is best way to hedge your bet against using IT  😛

         

        *Our best safeguard on the application side is our collective checks/balances (open source -did IBM buy RedHat?).  Hardware is a diff. can of worms

        https://seekingalpha.com/article/4138355-intel-inside-sold-intel-bought-ibm

        1 user thanked author for this post.
        • #1909118 Reply

          “Dont run more than one AV ‘live’ in Windows.”

          Yeah, I follow that. I run MSE, and keep Malwarebytes NOT running, as I might want to use my memory for something… 🙂

          But I DO take it out and run it weekly after MSE to see if MSE missed anything.

          I got clobbered ONCE many years ago by piece of nastyware 2 hours BEFORE Eset issued a definition for it; it was running rampant globally.

          Which is another reason AV and Malware dete ctors relying on “Definitions” alone has got to change. Big challenge.

          Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", Group "Wait for the all-clear", Multiple Air-Gapped backup drives in different locations, "Don't check for updates-Full Manual Mode."
          --
          "...All the people, all the time..." (Peter Ustinov ad-lib from "Logan's Run")

        • #1910618 Reply

          anonymous

          https://www.techsupportalert.com/best-free-windows-desktop-software.htm?page=7

          “Use one (and only one) antivirus program for real-time protection.”

          As a rule if I find a computer likey to have a virus. I scan with at least FIVE programs. and if any one of them finds something then I add another. There are:

          Malwarebytes ( install, scan rescan until nothing is found, uninstall)
          Online scan with Eset
          AdwCleaner
          Hitmanpro
          Junkware Removal Tool

          And for example lets say you only use defender. Well look at this:

          https://www.bleepingcomputer.com/news/security/new-trickbot-version-focuses-on-microsofts-windows-defender/

          “A new version of the TrickBot banking Trojan continues its evolution of targeting security software in order to prevent its detection and removal. In this new version, TrickBot has set its sights on Windows Defender, which for many people is the only antivirus installed on a Windows 10 machine.”

          So by only using Defender, you could be infected and not even know it. Alway best (IMO) to check with at least another NON REAL TIME antivirus!

    • #1907728 Reply

      Bertram Pincus
      AskWoody Lounger

      Top notch post!  I’ve thought about it a few times today since first reading it.  We’re kind of in new, unchartered waters today with the kernel/side-channel possible exploits (the 40+ drivers is in there too).  This is what intrigues me, while also off-putting and a little scary -all groups, A-D, wouldn’t likely know until it’s too late.   Hypothetically, let’s say 10% manifested in the wild, across the board, all groups until 2018.  Post 2018+/-, will we have accurate data and reference points -or will machines be running NSA, Chinese, Blackhat (you choose) botnets unbeknownst to their users?  We’ve seen a transition to exploiting the hardware side, which ofc is a little scarier given end users have less control.  When Intel’s CEO sells-off his stock a week before the first mention of Spectre/Meltdown we should have known times are changing.  Building the inpentrable fortress is 1billion times more difficult than trying to sniff out exploits.

      Back to point: IME is weird to me, anyone else, Bueller?  There’s a lot of money being made in selling new CPUs/hardware! (as well as AV/AM protection, as you noted -but the AV/AM grift is becoming more obsolete/useless against spectre/meltdown, bunk drivers out of the box, e.t.).

      1 user thanked author for this post.
    • #1907746 Reply

      woody
      Da Boss

      An excellent question – and one that’s hard to define.

      Best info I have is in my “Knee Jerk” article in Computerworld. https://www.computerworld.com/article/3402718/the-case-against-knee-jerk-installation-of-windows-patches.html

      There is one Microsoft study that doesn’t directly address your questions, but hints at them broadly.

      1 user thanked author for this post.
      • #1908163 Reply

        The Boss said, “An excellent question – and one that’s hard to define.”

        Yeah, I know, sorry…one day back when dinosaurs roamed the Earth, a teacher looked at me and said, “(expletive), why do you have to ask the hard questions?” :/

        Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", Group "Wait for the all-clear", Multiple Air-Gapped backup drives in different locations, "Don't check for updates-Full Manual Mode."
        --
        "...All the people, all the time..." (Peter Ustinov ad-lib from "Logan's Run")

    • #1907811 Reply

      anonymous

      ? says:

      is the “Windows CTF text Vulnerability,” info in post # 1907609 of any concern? or more scare mongering?

      https://googleprojectzero.blogspot.com/2019/08/down-rabbit-hole.html

      i disable ctfmon

      • This reply was modified 5 days, 12 hours ago by  Microfix.
      • This reply was modified 5 days, 8 hours ago by  PKCano.
      • #1907880 Reply

        anonymous

        ? says:

        sorry the post # is 197609 in “Big Bunch of Bad Drivers,” and the link goes to zdnet 8/13/2019. the project zero article by Tavis Ormandy demonstrates the vulnerability in Windows Text Services Framework. from the included demo videos it looks like it can be used to get system privileges in seconds. i’m wondering if this just another window’s bug of if it is something to keep track of?

    • #1908314 Reply

      geekdom
      AskWoody Plus

      Here’s a theory that would create a paper and form the basis for research that proves or disproves the theory.

      There are several types of invasive malware:

      • Malware that can be addressed by your anti-virus software. This prevention is easiest to apply by keeping your anti-virus definitions up-to-date.
      • Bugs and holes introduced by other software and patches as a result of the knee-jerk reaction described by Woody Leonhardt: https://www.computerworld.com/article/3402718/the-case-against-knee-jerk-installation-of-windows-patches.html
        This type of invasion is harder to prevent and in the event of infection, much harder to cure. It’s also more wide-spread than the first instance. To patch or not to patch? You have some control.
      • Private-information hack due to third-party failure to protect such information. In this case, the hack isn’t known until much later, may not be publicly disclosed, and affects a large number of people with dire consequences. You have no control over prevention, and subsequent damage control is extensive.

      In the three cases, severity increases while your ability to limit the hack decreases. And that’s where the research enters. Based on a statistical and reasonable sample and analysis, is this hypothesis true? What conclusions may then be drawn?

      Also of interest, what is the percentage of each case?

      Group G{ot backup} Win7Pro · x64 · SP1 · i3-3220 · TestBeta · Microsoft Security Essentials
      • This reply was modified 4 days, 13 hours ago by  geekdom.
      • This reply was modified 4 days, 13 hours ago by  geekdom.
      1 user thanked author for this post.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: CVE's, Vulnerabilities, etc vs. Real-World Actual Hits: Any Measures/Statistics?

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.