Patching and the Uncertainties of Exploitability

By Ryan Smith ·

In late December, the latest IIS FTP service vulnerability was made public by Matthew Bergin.  This event is significant because it’s been a while since the last time a Windows Service had an unauthenticated vulnerability.  While the FTP server isn’t enabled by default, the service is quite prolific in web hosting.  For most researchers in the community it was a little disheartening to see that the vulnerability resulted in a Denial of Service instead of Remote Code Execution.  Microsoft’s exact words were “Because of the nature of the overrun the probable result will only be a denial of service and not code execution”

Most large organizations have a difficult time patching vulnerabilities, because patching and releasing fixes to vulnerabilities can be a costly process.  Compounding this conundrum is the fact that many vulnerabilities are released without a working exploit.  Businesses asked Microsoft for some indicator of exploitability and Microsoft responded with the Exploitability Index.  The idea behind this is a value ranging from one to three gives these organizations a metric to determine which patches to apply first.

Unfortunately Microsoft lacks both time and resources to accurately measure the exploitability of each vulnerability for the patch release.  Also, exploitation is more of an art form than an exact science, thus providing quantitative data on the exploitation likelihood is a perplexing proposition.  In order to truly measure the exploitability it requires researchers well versed in exploitation techniques and these resources are difficult to recruit.  Therefore, all though our opinion may differ from Microsoft’s original stance on the exploitability of this particular vulnerability, there is no doubt in our minds that Microsoft conducted all due diligence when arriving at their conclusion.

When we first saw the report, we thought it was a narrowing window of time before someone came out with an exploit.  However, when January 7thcame we decided to develop empirical evidence for our gut feeling.  When January 11throlled around, we provided our empirical evidence to people following us on twitter (@nudehaberdasher and @hustlelabs), that this vulnerability was indeed exploitable for code execution.

While executives require tactical information to form the best strategies for their individual organizations, providing this information requires a specialized skill honed through time, experience, pouring through assemblies of heap allocation routines and the mind set of an exploit writer.  We were grateful to have the opportunity to share our work, giving our twitter followers a heads up in real time, and are excited to speak regarding the specifics of this vulnerability and exploitation techniques at a conference in the near future.