I’ve just got back from a TechMesh event, and feel the need to rant. The speaker gave this quote (from memory):
If you are still running Windows XP or Server 2003, upgrade. Just do it. We could walk into your network in, oh, two minutes. Upgrade
If only life was that simple. Move to Windows 7 and all my problems will be over? Sign me up. Or, to be less unfair to the speaker, unless I move to Windows 7 my network is wide open? Not necessarily.
The trouble with this statement is that as a guide for action, it’s about as useful as this sign:
It’s a useful sign, but the path is not anywhere near it.
Let’s start with the obvious: Microsoft deserve a lot of credit for making their latest OSs harder to exploit. DEP (actually introduced in XP SP2…), ASLR and the rest mean exploiting Windows is now hard. Hard means it’s expensive to develop exploits and this is good. What it doesn’t mean is that it’s impossible, or even, in practice, much more work.
Let’s say I want to exploit a company using only Windows 7 and Server 2008. A quick look at the MS Security patch list shows me plenty of targets. Look at the number of bugs ranked “critical” that apply to Windows XP, Vista and 7. And that’s before we move onto this year’s favoured target of choice, Adobe.
Nothing about moving to Windows 7 makes this attack much harder. Even if we have to write the exploit ourself (very unlikely) DEP and ASLR make it harder to get a reliable exploit if needed, but there’s been enough examples of exploits this year to prove that they are also not a barrier. It’d be more expensive, but in most cases the attacker is just going to grab Metasploit rather than writing an exploit from scratch
But of course, in most cases the easy way to get in is to target an executive for spear phishing (high enough up to demand admin rights and get them) and send them either a malicious PDF or the old fashioned “click here to download the codec”. Even if the person attacked is clued up enough to understand code signing (which seems unlikely), we could go with signed malware
What about Server 2008? Isn’t that more secure? Well, yes. Again, it’s much improved (e.g. no NTLANMAN password hashes), but in most enterprises, it’s not going to be the weak spot. SQL Injection against a vulnerable web server followed by token stealing works fine.
Moving to Windows 7 and Server 2008 is good advice. If you have infinite resources, doing it now is good advice. If you don’t have infinite resource (my work certainly doesn’t), then blindly rushing in is probably not the best plan.
Upgrade in good time, but do it right, and in the meantime, look at everything else. It’s far more likely you have serious holes elsewhere (start with asking how many users have admin rights and go from there) where resource could be better used. Upgrade to Windows 7 for business reasons when ready, not before.
