We all know that vulnerabilities that have become a hard currency in the security industry and criminal underground alike. But the good old days of remote, server-side vulnerabilities -- the big finds -- have slowed. The gaping holes have sealed. Today's bad guys no longer try to gut their targets with a swift blow. They bleed them with a thousand paper cuts; the formerly trivial vulnerabilities affecting applications like Word, PowerPoint, QuickTime and Winzip.
It seems that just five years ago, any half-competent programmer could find a buffer overflow in virtually any software published by any vendor. Today, we see a steady flow of small scores. "The focus has swung from server side vulnerabilities to client side vulnerabilities," says Sydney-based security researcher Chris Spencer. "We have seen plenty of preventative measures to tackle traditional server side vulnerabilities such as firewall technologies and the attack surface has significantly decreased as vendors have become more educated about the risks of exposing services to the Internet."
He's right. It's been a few years in the making, but today's batches of security vulnerabilities are overwhelmingly focussed on client software. Everyone working in the information security field has watched this happen. But where will we be in five years from now?
Some technical measures implemented by various vendors will have an impact. For example, Spencer says Windows Vista's Data Execution Protection security feature will raise the bar, but it's not going to eliminate entire classes of vulnerabilities. "As we have seen with the recent client side ANI exploit, if these new protections are not utilised then the operating system is still as vulnerable as ever," he says. "I still expect to see many client side buffer overflows to come, but I think we will eventually see a shift to more subtle memory corruption bugs and more focus on logic error vulnerabilities that are address independent."
Neohapsis CTO Greg Shipley says Vista's improved security features are evolutionary but not revolutionary. "The operating systems became harder targets from a research-perspective, so we saw many researchers shift gears and go where things were easier; less reviewed desktop applications," he says. "So I almost wonder if we should be paying more attention to Office 2007 than Vista security, as I think logic would dictate that Office 2007 is one of the major suites that will fall under the crosshairs next."