Small earthquake in Chile

Henry Harrison

“Small earthquake in Chile. Nobody hurt.”

Traditionally, this is supposed to be the ultimate non-news headlines – real evidence that a newspaper is scraping the bottom on a slow day. But perhaps today we should come up with a new archetype for the non-news headline:

“Vulnerabilities found in popular software product. Patches issued.”

In practice of course, it’s not the case: vulnerabilities do still generate headlines, at least in the technical press. Just today, I ran across the following article at The Register:

It’s 2018, and a webpage can still pwn your Windows PC – and apps can escape Hyper-V

I’ll be honest: I was interested in what the article had to say. Turns out (a) a major browser had a flaw that allowed a malicious website to execute arbitrary code on the user’s computer, and (b) a major hypervisor technology had a vulnerability that allowed software running in a virtual machine to break out of the VM and gain access to the host system (and other VMs). Not to mention a whole range of other vulnerabilities.

But the truth is, I shouldn’t really be interested at all. There are headlines like this every month. Surely it should be non-news by now?

For some reason, we all find it hard to come to terms with the simple fact that software has vulnerabilities. Indeed, I had a discussion a little while back with a senior cyber security professional at a well-known major enterprise, and I ventured to suggest that our competitors’ security products, being as they are based on software, would be bound to have security vulnerabilities.

“Interesting claim” he said. “Prove it.”

We need to get used to the fact that the burden of proof is the reverse: software must be assumed to have vulnerabilities (indeed, lots of them) unless there’s unusually strong evidence to suggest otherwise.

Some further questions

Here are a couple of questions that the headline raised for me.

1) Microsoft tells us that there is evidence of two of the vulnerabilities being exploited “in the wild.”

It’s easy to assume that the rest of the vulnerabilities (I haven’t counted them, but there were 68 patches issued) haven’t yet been exploited. That would be a lazy assumption. Zero-day vulnerabilities are valuable resources: they can be used to attack even well-patched systems. If attacks that exploit them get detected, they get patched and lose their value. It’s therefore in the attackers’ interests to avoid leaving evidence when they make use of them.

So: how many of the other vulnerabilities have in fact been exploited – but without leaving evidence?

2) How vulnerable was Azure to the Hyper-V vulnerability?

Maybe someone from Microsoft can answer this for me. I read that Azure is built on a custom variant of Windows (though I can’t immediately find the primary source for this information) but given the number of Windows variants affected by the Hyper-V vulnerability, it seems like a reasonable question to ask.

If it was vulnerable, then I guess there are some security folks in Redmond right now working very hard to try and determine whether there’s any evidence that someone (most likely a nation state) made use of the vulnerability to break out of an instance and gain access to the underlying Azure fabric.

That said, probably they’re more mature than that. They know full well that there are more, as yet undiscovered, vulnerabilities in Hyper-V so it’s probably just as likely that an attacker exploited one of those to gain access to the Azure fabric as it is that they exploited the one that just happens to have been found.

Even small Chilean earthquakes…

But really, these questions ought to be as mundane as the story itself. In fact, this whole article is a paradox: an attempt to interest you in a story where our collective reaction really ought to be “meh. Tell me something newsworthy.”

Still, even small earthquakes in Chile are interesting to some people. I think it’s a telling insight into the South American psyche that after a recent Chilean earthquake in which my friends’ house was quite badly damaged (though luckily they and the kids were unhurt), my friend Enrique’s first priority was to get his barbecue area back up and running…