Welcome Guest. | Log In | Register | Membership Benefits

Exploited Apps Depend On Attack Vector

While some data shows Java to be the most attacked software application, other software gives the program a run for the title

Dec 06, 2011 | 05:25 PM | 

By Robert Lemos, Contributing Editor
DarkReading

During the Thanksgiving weekend, the Blackhole exploit kit got an update. A developer for the popular criminal toolkit for creating malicious programs added a new exploit for a recently patched vulnerability in the Java Runtime Environment. Within a few days, the exploit was incorporated into the Metasploit penetration-testing toolkit, as well.

The scenario has become a common occurrence: Security researchers or cybercriminals develop an attack for a just-discovered flaw and add the exploit into their point-and-click attack kits. Soon, a relatively unknown attack becomes a quickly growing threat seen by a large population. It's a trend that has repeated itself many times, says Joshua Talbot, security intelligence manager for Symantec.

"Attackers often move in trends and focus on one piece of software until the opportunities are exhausted," Talbot says.

In the past, attacker have focused on creating files that take advantage of flaws in Microsoft's Office and Adobe's PDF format. In 2005, for example, Microsoft fixed more flaws in its Office products than in its other popular-to-pwn product, Internet Explorer.

"It depends on the vector you are looking at," says Jeremiah Grossman, chief technology officer for Web security firm WhiteHat Security. "If you are attacking through e-mail, you may use one type of attack. If you are attacking a website, another."

Here are some examples of how the bad guys home in on the hot attack targets:

1. Perennial e-mail favorite: PDFs
Five years ago, cybercriminals attempted to compromise victims PCs by exploiting vulnerabilities in Word and Excel. A few years later, Adobe's PDF format became the most popular file type for cybercriminals to target.

That remains true today, according to Symantec data. In the past year, more e-mail attacks used flaws in PDF than the next nine most popular file formats, Symantec's Talbot says.

"Attacking file formats is a good technique to compromise even savvy users," he says. "If you send an e-mail with a specific context, you have a good chance of success."

Maliciously crafted document files are frequently used in lower frequency, but more significant, targeted attacks. About one in every 2 million e-mails -- or one in every 8,300 e-mail attacks -- are highly targeted, Symantec states in its latest Intelligence Report.

2. Browser bane: Java
While file-format vulnerabilities are the most common attack when an attacker attempts to compromise systems through e-mail, browser-based attacks have increasingly focused on Java.

In its latest Security Intelligence Report, Microsoft found that between one-half and one-third of all exploits it detected were attempts to exploit flaws in Java. In total, the company detected almost 27.5 million exploit attempts in 12 months.

"Many of the more commonly exploited Java vulnerabilities are several years old and have had security updates available for them for years," said Tim Rains, director of trustworthy computing for Microsoft, in a blog post. "This illustrates that once attackers develop or buy the capability to exploit a vulnerability, they continue to use the exploit for years, presumably because they continue to get a positive return on investment."

3. Web sites: Beware SQL injection
For attackers focused on Web sites and the databases that power dynamic Web properties, the vector of choice is SQL injection, according to WhiteHat's Grossman.

"If you are attacking Web sites, you are going to use SQL injection," he says.

Other popular attacks include PHP file include attacks and predictable resource location.

The first line of defense for users and companies is to keep software up-to-date, says Symantec's Talbot. In most cases, there is a fix for the flaw already available.

For companies that cannot patch their systems in time, adding vulnerability-specific defenses, such as sandboxing a browser or implementing a Web-application firewall, can help buy time for the defender, he says.

"If there are attacks being made in the wild, then disable that technology until the threat is past," Talbot says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.



Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dark Reading encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dark Reading moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Dark Reading further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
Subscribe to RSS



Vulnerability Management Reports

report Choosing the Right Vulnerability Scanner for Your Organization
Vulnerability scanners can be used to help detect and fix systemic problems in an organization's security program and monitor the effectiveness of security controls. However, a vulnerability scanner can improve the organization?s security posture only when it is used as part of a vulnerability management program, in which products, processes and people are working together to find, identify, prioritize and mitigate threats. Here are some tips on choosing and implementing vulnerability scanners in your enterprise.

report Using Google to Find Vulnerabilities In Your IT Environment
Attackers are increasingly using a simple method for finding flaws in websites and applications: they Google them. Using Google code search, hackers can identify crucial vulnerabilities in application code strings, providing the entry point they need to break through application security. Sound scary? It is, but there is good news: You can use these same methods to find flaws before the bad guys do. In this special report, we outline methods for using search engines such as Google and Bing to identify vulnerabilities in your applications, systems and services--and to fix them before they can be exploited.

report Security Pro's Guide to Patch Management
It's no longer sufficient to patch just Windows, Office and IE. With the massive array of applications now residing on enterprise PCs, and the proliferation of mobile and cloud-based applications, your business is far too vulnerable to exploitation unless you have a solid strategy for patch prioritization, deployment and quality assurance. Follow these steps to put your plan in place.

Other reports from the Vulnerability Management Tech Center:




Featured Webcasts
Featured Whitepapers
Featured Reports