A dilemma worth Shakespeare's Hamlet is increasingly haunting companies and
security researchers: ``to update or not to update, this is the question``.
From the perspective of recommended common practices by software vendors the
answer is unambiguous: you should keep your software up-to-date. But is common
sense always good sense? We argue it is not

Di Tizio, Giorgio

Massacci, Fabio

English

arXiv

arXiv.org e-Print Archive

Are Software Updates Useless Against Advanced Persistent Threats?

A dilemma worth Shakespeare's Hamlet is increasingly haunting companies and security researchers: ``to update or not to update, this is the question``. From the perspective of recommended common practices by software vendors the answer is unambiguous: you should keep your software up-to-date. But is common sense always good sense? We argue it is not

Tizio, Giorgio Di

VU Research Portal

VU Research PortalAre Software Updates Useless Against Advanced Persistent Threats?Massacci, Fabio; Tizio, Giorgio Dipublished inCommunications of the ACM2023DOI (link to publisher)10.1145/3571452Link to publication in VU Research Portalcitation for published version (APA)Massacci, F., & Tizio, G. D. (2023). Are Software Updates Useless Against Advanced Persistent Threats?Communications of the ACM, 66(1), 31-33. https://doi.org/10.1145/3571452General rightsCopyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright ownersand it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights.            • Users may download and print one copy of any publication from the public portal for the purpose of private study or research.            • You may not further distribute the material or use it for any profit-making activity or commercial gain            • You may freely distribute the URL identifying the publication in the public portal ?Take down policyIf you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediatelyand investigate your claim.E-mail address:vuresearchportal.ub@vu.nlDownload date: 19. Nov. 2023Are Software Updates Useless Against AdvancedPersistent Threats?Authors:Fabio Massacci, University of Trento (IT), Vrije Universiteit Amsterdam (NL)Giorgio Di Tizio, University of Trento (IT)This paper was written within the H2020 AssureMOSS project that receivedfunding from the European Union’s Horizon 2020 research and innovationprogramme under grant agreement No 952647. This paper reflects only theauthor’s view and the Commission is not responsible for any use that may bemade of the information contained therein.arXiv:2306.07355v1  [cs.SE]  12 Jun 2023Fabio Massacci and Giorgio Di TizioAssurance and certificationin secure Multi-party OpenSoftware and Services (Assure-MOSS) No single company doesmaster its own national, in-housesoftware. Software is mostly as-sembled from “the internet” andmore than half come fromOpen Source Software repositories(some in Europe, most elsewhere). Security & privacy assur-ance, verification and certification techniques designed forlarge, slow and controlled updates, must now copewith small,continuous changes in weeks, happening in sub-componentsand decided by third party developers one did not even knowthey existed. AssureMOSS proposes to switch from process-based to artefact-based security evaluation by supportingall phases of the continuous software lifecycle (Design, De-velop, Deploy, Evaluate and back) and their artefacts (Models,Source code, Container images, Services). The key idea is tosupport mechanisms for lightweigth and scalable screeningsapplicable automatically to the entire population of softwarecomponents by Machine intelligent identification of securityissues, Sound analysis and verification of changes, Businessinsight by risk analysis and security evaluation. This ap-proach supports fast-paced development of better softwareby a new notion: continuous (re)certification. The projectwill generate also benchmark datasets with thousands ofvulnerabilities. AssureMOSS: Open Source Software: De-signedEverywhere, Secured in Europe. More informationat https://assuremoss.eu.Fabio Massacci (PhD 1997) isa professor at the University ofTrento, Italy, and Vrije UniversiteitAmsterdam, The Netherlands. Hereceived the Ten Years Most In-fluential Paper award by the IEEERequirements Engineering Confer-ence in 2015. He is the EuropeanCoordinator of the AssureMOSS project. Contact him atfabio.massacci@ieee.org.Giorgio Di Tizio (PhD 2023) isa Postdoctoral researcher at theUniversity of Trento, Italy. His in-terests include cyber threat intel-ligence and cybercrime. Contacthim at giorgio.ditizio@unitn.it.How to cite this paper:• Massacci, F. and Di Tizio, G. Are SoftwareUpdates Useless Against Advanced Per-sistent Threats?. Communications of theACM66, 1 (2023). DOI: https://doi.org/10.1145/3571452License:• This article is made available with a per-petual, non-exclusive, non-commerciallicense to distribute.Are Software Updates Useless Against Advanced PersistentThreats?FABIO MASSACCI, University of Trento and Vrije Universiteit AmsterdamGIORGIO DI TIZIO, University of TrentoA dilemma worth Shakespeare’s Hamlet is increasingly haunting companies and security re-searchers: “to update or not to update, this is the question“. From the perspective of recommendedcommon practices by software vendors the answer is unambiguous: you should keep your softwareup-to-date [7]. But is common sense always good sense? We argue it is not.Last year on a CACM’s column Poul-Henning Kamp [4] argued that these industry best practicesdo not seem to work and a more radical reform is needed. In the same year, on the IEEE S&Pmagazine Massacci, Trent and Peisert reminds us that the SolarWinds attack was funneled by anupdate [5] and a second choral piece this year [6] tells us that the recent protestware attacks arealso channeled through updates.What is badly wrong here is that updates are hardly classified as either functionality or securityupdates or both. They are bundled together for the convenience of the software vendor [5]. Forexample, the WhatsApp update v2.19.51, while patching a critical security vulnerability exploitedby the NSO Group, summarized the update with the following note: "You can now see stickersin full size when you long press a notification". One might concede, without believing it, thatconflating together functionality and security updates is done to make it more difficult to identifythe vulnerable code.Yet, this lack of transparency is not going to help. Organizations can only blindly accept the"black-box" cumulative update that will force them to install all updates ignored so far, or equallyblindly ignore the popup. As Trent Jager said: damned if you patch, damned if you do not.Still, updates might be normally good and might turn to be unwise only in the high-profile casesthat hit the media.We investigated whether this is the case in the context of Advanced Persistent Threats (APTs) [2],’la creme de la creme’ of the attacker ecosystem. APTs are sophisticated actors that deliberately andpersistently target specific individuals and companies with a strategic motivation (from sabotage tofinancial gain). In this scenario, only an ‘all hands on deck’ defense seems appropriate and keepingyour software up-to-date seems the bare, and likely not even sufficient, minimum.Starting from ’Operation Aurora’ the security community increasingly released public infor-mation about APTs campaigns via blogs and technical reports. Unfortunately, the information isfragmented over different sources, each using different taxonomies to track adversaries. So, wecollected data about more than 350 APT campaigns performed by 86 APTs in more than 10 yearsfrom more than 500 resources (and, by the way, the data is open source1).From this wealth of data, we can try to understand if these Threats called APTs really deservethe acronym they got.A as Advanced: In most cases, APTs do not even exploit a software vulnerability. Figure 1 showsthe attack vectors employed in the campaigns. More than half of them do not employ any softwarevulnerability. APTs rely on spearphishing attacks via email and social networks to obtain the initialfootprint in the network.1https://doi.org/10.5281/zenodo.6514817Authors’ addresses: Fabio Massacci, University of Trento and Vrije Universiteit Amsterdam, fabio.massacci@ieee.org;Giorgio Di Tizio, University of Trento, giorgio.ditizio@unitn.it.1w/o sw vulnerabilities w/ sw vulnerabilitiesCampaigns Type020406080100120140160180200# of campaignsSpearphishingDrive-bySupply ChainValid AccountsExternal Remote Serv.Exploit Public Facing App.Replication Remov. MediaUndeterminedMore than half of the campaigns do not exploit software vulnerabilities but extensively rely onspearphishing to get initial access.Fig. 1. Attack vector campaigns and software vulnerabilitiesWhether your software is up to date or not makes no difference in at least 50% of the cases,as software vulnerabilities are not the main attack vector. The ’all-powerful’ attacker supporterscould argue that we are a victim of survival bias as we used data of security attacks that have beeneventually discovered. As Richard Clayton said at the Workshop on Economics of InformationSecurity on 2017, “we don’t always know if are measuring dim attackers getting caught ratherthan smart attackers getting through“. This is a valid point if we consider a single point in time.Eventually, even smart attackers will be, if not caught, at least spotted. For example, we can hardlysay that the Stuxnet and Solarwinds attacks were performed by unskilled attackers. Still, they haveeventually been in the news. Thus, a decade of reports can give a reasonably accurate view of theattacker ecosystem.So let’s zoom in on the half of the attacks where software vulnerabilities did play some role.P as Persistent. When APTs exploit software vulnerabilities, they often exploit vulnerabilitiesof which the vendor is aware and for which a patch is available. The 0-days exploits are not thenorm. Figure 2 summarizes the number of campaigns that exploited known or 0-day softwarevulnerabilities. The 77% of the campaigns in our dataset rely on at least a vulnerability that waspreviously published on NVD at the time of the attack.This finding seems pretty solid evidence that software updates are actually useful. If APTs areexploiting software vulnerabilities that are known, and for which an update exists, then stayingalways on the edge of the newest Microsoft Office or Adobe Acrobat version should be enough toprevent the exploitation. Unfortunately, raw uninterpreted statistics of hindsight can be misleading.2Most of the campaigns exploited at least one vulnerability after reservation and publication byNVD. Only a few launched attacks exploiting unknown vulnerabilities that were neither reservednor published by NVD.Fig. 2. Classification of APT Campaigns.The first problem with "Keep your software updated to the newest version" is that the pace ofupdates is often very close to a Denial of Service against IT administrators with no improvement insecurity [1]. Many updates are not security updates and updates tend to break other functionalities.Huang et al. [3] in a paper aptly entitle up-to-crash found out that many seemingly innocuousupdates of vulnerable Android libraries might crash the dependent application with up to 50%chances. Toss a coin, if head is up, software is down.So we decided to investigate the potential effectiveness of keeping the software up-to-date for5 widely used software products in the decade under study (Office, Acrobat Reader, Air, JRE, andFlash Player) from three major software companies (Adobe, Microsoft, and Oracle) for the WindowsO.S. with different strategies.The Ideal strategy represents the unrealistic scenario of staying on the edge of the wave andupdate the software as soon as a new release is available. The software vendor’s speed is the onlylimiting factor.The Industry strategy is a more realistic representation of the dutiful organizations that followthe industry best practices and apply each new update with some delay between the release of anupdate and its installation to perform regression testing. Delay ranges from one week to severalmonths.Amore relaxed Reactive strategy just focuses on updating when a CVE for a software vulnerabilityis published in a database of vulnerabilities like NVD.3T as Threat. As we (now) know when the attack took place with some approximation (i.e almostall reports only indicate the month of the attack), we can calculate the Agresti-Coull 95% confidenceinterval that doing an update at that timewas actually useful or not. In other words, we can calculatethe conditional probability that you would have updated on the same month, or updated the nextmonth when the update became available and still have succumbed to an APT - if they ever decidedto target you.Figure 3 shows the range in which the probability of being compromised lies for the differentstrategies considering a one-month delay for the Industry and Reactive strategies to performregression testing. When the intervals overlap it means the two strategies are not statisticallydistinguishable. That is a vey bad news for the IT administrators that struggled to keep pace of theupdates.In Figure 3 we observe that either an enterprise applies at light speed lots of updates (the Idealstrategy) or the risk of being compromised once you have to wait to perform regression testing forall new releases of the software (Industry strategy) is the same as if you just wait for a CVE to comeout (Reactive strategy) but the latter saves you from a lot of useless updates. Furthermore, even ifwe are keeping our system up to date at light speed, we also need to be lucky to not jeopardize oureffort. Indeed, if we consider the worst-case scenario of a strategy, where APTs are slightly fasterto exploit than enterprises to patch (i.e. on the same month), the probability of being compromisedsignificantly overlaps with the more relaxed strategy of waiting for a CVE to be published.All-speedful defenders are as unrealistic as all-powerful attackers, thus it seems perfectly rationalto save time and money and only rush to update for disclosed vulnerabilities and before that donothing. That is what most company seems to do and get lambasted for.What is the answer? If the "keep your systems up to date" best practice is only effective whenthe enterprises spend most of their resources on fixing and maintaining their suppliers’ softwareinstead of servicing their own customers, then why do we stick with this recommendation?This is a best practice that can be included in the "security theatre" [8], measures that provideminimal benefits and are not worth the cost.As Kamp points out in the mentioned CACM columns [4] this industry ‘best practice’ allowscyber-insurance companies to reject requests for coverage. Most importantly, it allows softwarecompanies to shift liability towards their "lazy" users. For the software vendors (starting from thebig four), this best practice is the most desirable because releasing an update that "improves" anunknown feature of a product is much easier than implementing it as a secure application withmechanisms like automatic network segmentation and escalation and execution confinement [5]and without unnecessary frills.We agree with Poul-Henning Kamp, it is a jolly good time to introduce the ‘right to not update’[5] and return the liability of defective software building to the software builders and not to thesoftware users [4].Dwellers of the U.S. Capitol or Brussel’s Berlaymont should take notice of the copy of the oldCode of Hammurabi reported in Table 1 along with its counterpart in the IT reign. It is for thefuture to align its liability laws to the past.To summarize: If “how to have more security?” is the question, software updates are not theanswer.REFERENCES[1] Luca Allodi and Fabio Massacci. 2014. Comparing Vulnerability Severity and Exploits Using Case-Control Studies.ACM Transactions on Information and System Security 17, 1 (2014).[2] Giorgio Di Tizio, Michele Armellini, and Fabio Massacci. 2022. Software Updates Strategies: a Quantitative Evaluationagainst Advanced Persistent Threats. IEEE Transactions on Software Engineering (2022).40 10 20 30 40 50 60 70 80 90 100Prob. of being compromised (%)Reactive worst-caseReactive best-caseIndustry worst-caseIndustry best-caseIdeal worst-caseIdeal best-case364 updates364 updates361 updates361 updates247 updates247 updatesIf intervals overlapyou get the samechances of beingcompromised by APTsIn the best-case scenario, updates are deployed before exploitation if they overlap on the samedate. In this case, either an enterprise updates immediately or the risk of being compromised byupdating only when a CVE is published is the same as always updating to the newest version. Inthe worst-case scenario, updates are deployed after exploitation if they overlap on the same date. Inthis case, even if an enterprise updates immediately there is considerable overlap in the probabilityof being compromised with more relaxed approachesFig. 3. Agresti-Coull confidence interval of the probability of being compromised for update strategies (onemonth delay for Industry and Reactive strategies)Table 1. The IT Code vs the Building Code of HammurabiWhat Happens Code of Hammurabi (ca. 1780 BC) Code of IT Industry (2022 AD)If a [builder] did not con-struct properly the housefor a fellow [. . . ] and awall fellthat builder shall make that wallsound using his own silverthat builder will suggest an-other house he built andthat fellow should pay tomove one’s goods to the otherhouse.If the house fell and it ru-ins goods[the builder] shall make compensa-tion for all that has been ruinedunthinkableif the builder wantschange the walls or closea window of the houseafter the saleunthinkable the fellow shall adapt its liv-ing to the new house at one’sown expenses5[3] J. Huang, N. Borges, S. Bugiel, and M. Backes. 2019. Up-To-Crash: Evaluating Third-Party Library Updatability onAndroid. In IEEE European Symposium on Security and Privacy.[4] Poul-Henning Kamp. 2021. The software industry IS STILL the problem: The time is (also) way overdue for ITprofessional liability. ACM Queue 19, 4 (2021).[5] Fabio Massacci, Trent Jaeger, and Sean Peisert. 2021. Solarwinds and the challenges of patching: Can we ever stopdancing with the devil? IEEE Security & Privacy 19, 2 (2021).[6] F. Massacci, A. Sabetta, J. Mirkovic, T. Murray, H. Okhravi, M. Mannan, A. Rocha, E. Bodden, and D. E. Geer. 2022.“Free” as in Freedom to Protest? IEEE Security & Privacy 20, 5 (2022).[7] Robert W. Reeder, Iulia Ion, and Sunny Consolvo. 2017. 152 Simple Steps to Stay Safe Online: Security Advice forNon-Tech-Savvy Users. IEEE Security & Privacy 15, 5 (2017).[8] Bruce Schneier. 2009. Beyond security theater. New Internationalist 427 (2009).6

Are Software Updates Useless Against Advanced Persistent Threats?

Abstract

Similar works

Full text

Available Versions

arXiv.org e-Print Archive

VU Research Portal