Vulnerabilities / Threats
6/1/2011
09:56 AM
Connect Directly
RSS
E-Mail
50%
50%

Microsoft Finds 5% Of PCs Running Malware

Java exploits predominate, including some still successfully targeting bugs from 2008.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
One in 20 PCs is infected with malware, according to statistics gathered by a free Microsoft scanning tool. Interestingly, the average infected PC contained 3.5 pieces of malware, and most of those malware applications exploited Java vulnerabilities.

Those findings come via Microsoft Safety Scanner (MSS), a free, recently updated tool from Microsoft that's designed to clean up after a malware infection. The tool expires 10 days after being downloaded to force users to download a new version with the latest updates.

After recently updating MSS to scan 64-bit Windows systems, Microsoft compiled seven days' worth of scans, and found that "seven of the top 10 threats are files containing exploits for Java vulnerabilities," according to a blog post from Scott Wu and Joe Faulhaber at the Microsoft Malware Protection Center.

The most-seen malware was OpenCandy adware, present on 0.8% of all PCs scanned. But almost every other piece of prevalent malware contained code for exploiting Java vulnerabilities, including a Java Runtime Environment (JRE) bug discovered in 2008.

To illustrate the types of malware its scanner found on PCs, Microsoft detailed the malware found just on the 0.5% of PCs exploited via the 2008 JRE bug: Alureon rootkit (on 7.3% of those PCs), browser modifier Zwangi (6.0%), rogue application Winwebsec (5.7%), and Hotbar and ClickPotato adware (both 5.4%).

"Of course many of these detections by MSS are the debris or aftermath after the exploit has already executed," said Wu and Faulhaber. "By the time a user downloads and runs MSS to detect malware, the machine may have already been infected, if it was vulnerable to the exploit at the time." That's why Microsoft says MSS is "not a replacement for using an antivirus software program that provides ongoing protection" and which could have prevented an infection in the first place.

This isn't the first time that Microsoft has trumpeted the threat posed by Java vulnerabilities. According to Microsoft's 2010 Security Intelligence Report, "exploits that use HTML and JavaScript steadily increased throughout the year and continue to represent a large portion of exploits." Notably, it found that "the most prevalent type of attack in this category involved malicious iFrames," which attackers often use after compromising a website, to then attack anyone who visits.

In 2011, the Java threat doesn't appear to have diminished. According to a study by Kaspersky Labs that looked at malware trends from January through March 2011, Java vulnerabilities comprised a significant portion of the top 10 "most seen" vulnerabilities on people's PCs. "Vulnerabilities in Adobe products occupied five positions in the list, including 1st and 2nd places, while 4th and 5th positions were taken up by vulnerabilities in the Java Virtual Machine," said Yury Namestnikov, a security researcher at Kaspersky, in a blog post. The remaining top 10 vulnerabilities involved Apple QuickTime, Winamp, and Microsoft Office.

"All of the vulnerabilities that appeared in the Top 10 enable cybercriminals to take control of computers at the system level," said Namestnikov.

Black Hat USA 2011 presents a unique opportunity for members of the security industry to gather and discuss the latest in cutting-edge research. It happens Aug. 3-4 in Las Vegas. Find out more and register.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2227
Published: 2014-07-25
The default Flash cross-domain policy (crossdomain.xml) in Ubiquiti Networks UniFi Video (formerly AirVision aka AirVision Controller) before 3.0.1 does not restrict access to the application, which allows remote attackers to bypass the Same Origin Policy via a crafted SWF file.

CVE-2014-5027
Published: 2014-07-25
Cross-site scripting (XSS) vulnerability in Review Board 1.7.x before 1.7.27 and 2.0.x before 2.0.4 allows remote attackers to inject arbitrary web script or HTML via a query parameter to a diff fragment page.

CVE-2014-5100
Published: 2014-07-25
Multiple cross-site request forgery (CSRF) vulnerabilities in Omeka before 2.2.1 allow remote attackers to hijack the authentication of administrators for requests that (1) add a new super user account via a request to admin/users/add, (2) insert cross-site scripting (XSS) sequences via the api_key_...

CVE-2014-5101
Published: 2014-07-25
Multiple cross-site scripting (XSS) vulnerabilities in WeBid 1.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) TPL_name, (2) TPL_nick, (3) TPL_email, (4) TPL_year, (5) TPL_address, (6) TPL_city, (7) TPL_prov, (8) TPL_zip, (9) TPL_phone, (10) TPL_pp_email, (11) TPL_authn...

CVE-2014-5102
Published: 2014-07-25
SQL injection vulnerability in vBulletin 5.0.4 through 5.1.3 Alpha 5 allows remote attackers to execute arbitrary SQL commands via the criteria[startswith] parameter to ajax/render/memberlist_items.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.