It takes time for findings at the cutting edge of science to trickle down into the mainstream of society. Often it could be years before the relevance of discoveries are even understood by people outside of the research world in any particular field.
In the modern tech-based wonder world we now occupy, this research is not only about expanding the fields of science or inventing an innovative device. It’s also about maintaining the safety of the technologies we’re already using. From the pharmaceutical industry, to structural engineering, to finance, there is a lot of brain power, both human and machine, that goes into just making sure that everything is still running smoothly. If there are potential dangers ahead, we hope they’ll be spotted.
Like all scientific exploration, implications of findings are not immediately appreciated—even by the very people who are utilizing the relevant technologies. Perhaps nowhere is this more pronounced than in the field of systems updates that support our digital infrastructure. While everyone uses computer software to go about their personal or business routine, many are often oblivious to both the work in supporting these programs and the dangers discovered in the course of that work.
People who deal with information technology (IT) for a living have a bit of different perspective. These individuals are typically trained to understand the importance of such updates and the vulnerabilities they expose. So when an industry leader like Microsoft releases vulnerability assessments, as it did recently, this community of professionals tends to pay attention.
Security Servicing Commitment clarifies Microsoft patch policy: https://t.co/KDUewRODRd
— Crayon (@CrayonIT) June 20, 2018
Microsoft, like all major program producers, supports their products, at least the ones that have been manufactured and sold in the last several years. This means Microsoft technicians continue to scour the inner workings of these products to insure that any vulnerabilities are identified and corrected, or “patched.” Considering the contemporary Microsoft products contain tens of millions of lines of code, it shouldn’t be surprising when unforeseen weaknesses are uncovered.
This most recent series of updates from Microsoft was particularly interesting as they contained news of some very serious flaws in the company’s products.
Uncovering the Weak Points
The weaknesses uncovered by Microsoft’s engineers were ways in which cyber criminals could execute some very dirty tricks—all through programs that users themselves had installed on their devices. In all, over fifty vulnerabilities affecting Windows, Edge, MS Office, MS Office Exchange Server, ChakraCore and Adobe Flash Player were present. Eleven of the flaws were rated “critical” and 39 as “important.”
Two of these vulnerabilities are worth highlighting. The first is a remote code execution vulnerability contained on the company’s net browser, Internet Explorer (IE). Essentially, what this means is the browser encounters difficulty handling certain data objects in its memory. At the time IE is attempting to process this data, it becomes exposed to remote scripting, the ability for an attacker to insert code into the browser’s operations, enabling the hacker to wrest control of IE functions. What was disturbing about this particular bug is that Microsoft listed it as “Publicly Disclosed” meaning others had known of the vulnerability before Microsoft did.
The second noteworthy bug, and the most critical of all those exposed by Microsoft, was a remote code execution vulnerability. It was identified in the Windows Domain Name System (DNS) DNSAPI.dll which means it potentially affects all versions of Windows starting from 7 to 10, as well as Windows Server editions. The bug exposes all machines operating those programs to corrupted DNS messages emanating from a server controlled by a hacker. In this way, cyber cirminals could then run arbitrary code on the user’s computer and order it to execute operations. Considering the number of machines worldwide that use the above operating systems, this is a big deal. Luckily, technicians at Microsoft identified this danger before it was discovered by someone else with more nefarious intentions. It serves as a great example of how often a free market has serious incentive to protect itself and comes through for its clientele.
But the task of maintaining the cybersphere’s safety doesn’t end with the discovery of a potential danger. As recent history has painfully demonstrated, if the warnings are not heeded by the community of users, all the work of system-supporting engineers is ultimately for naught.
A Dangerous Procrastination
Hacks become important in the annals of cyber history for two reasons. The first is because of their sheer magnitude and the amount of damage they cause. The Sony hack of 2014 that resulted in the company completely losing control of its systems and eventually suffering a total data wipe is one example. The more recent cyber fiasco involving Equifax, the largest data breach in history in terms of volume of information lost, is another notable instance. But other hacks become infamous not just because they wreak widespread havoc, but because they teach hard lessons on data security the whole world is forced to recognize. The global IT community is then faced with a choice: Apply the lessons despite the inconvenience, or let the status quo run on.
The WannaCry ransomware epidemic of 2017 falls into the latter category of notorious cyber crimes.
WannaCry was an episode that was more or less avoidable, or at least one that could have been largely mitigated. Postmortem forensic assessments of infected networks indicated that victims did not become exposed to the malware through accidentally downloading files contained on phishing emails, the typical mode of delivery in hacking campaigns. Rather, WannaCry was able to enter systems by exploiting a flaw in a Windows Server Message Block (SMB) service, a program layer that allows for the interconnectivity of networks for transferring files and other data.
Once the malware successfully infiltrated, it deployed a backdoor program to control various elements of the computer, thereby running the payload program. This payload was a nasty one, an encryption tool that targets files contained on the computer’s hard drive. WannaCry then took advantage of the already compromised SMB to scan for other vulnerable connected systems and export itself to other computers, perpetuating the cycle of infections.
As a matter of fact, however, the vulnerability hackers used to execute WannaCry had been made known a significant time before the epidemic began. Microsoft had issued a “critical” network patch after becoming aware of the SMB vulnerabilities on 14 March, two months before WannaCry began to spread in mid May. Many system users were clearly slow to install the system patch, leaving them exposed to the malware, and ultimately assisting in the spread of the virus. In this instance, Microsoft went above and beyond their contractual obligations to customers. To help mitigate the malware’s damage, the company took the unusual step of offering patches for earlier unsupported system versions such as Windows 8, and Windows XP.
Lessons Learned
The story of WannaCry strongly highlighted the need for company IT as well as individual system users to keep abreast of program updates. Indeed, this is what many observers in the industry have called the real lesson of WannaCry.
Maintaining regular updates via patches is often not a simple ordeal for a large organization. As pointed out by one cyber security firm director, the operating of critical infrastructure on some systems, or other vital systems that are being constantly run, often curtails the ability for a system to be stopped, patched, and rebooted. This underscores the need for contingency plans for such infrastructure in order to perform vital system updates. These may include back-up systems to run this infrastructure temporarily, or even temporary pre-planned lapses in operations.
At the end of the day, it is a cultural shift, not technological one, that is needed to thwart this danger posed to the digital world. A feeling of mutual responsibility is essential for lasting security in the cyber domain. Did you ever notice that the “techy people” have such a sense of community? They share chat rooms and online forums, they update each other on their discoveries and share information. Even massive cyber companies from the Russian Kaspersky to the California based FireEye share information about the threats they uncover. Yes, this certainly serves a self-promoting function. But it also stems from a deep understanding of the digital environment they need to operate in. They understand they are occupying a shared space, an ecosystem, to be more accurate. Nothing important can happen in this environment without having repercussions for at least some of the other occupants.
When a culture’s intelligence grows faster than its wisdom it can spell problems. Our technological might has developed at a pace faster than our global awareness and our sense of shared responsibility when it comes to our safety.
With any luck, the mounting number of hits to the cyber sphere will begin to inculcate this awareness at a global level. The integrity of users is the only way to insure a safe digital world for the long term.
