"Enterprises tend to have reasonable control over patching at the OS and browser level, but ask the average CISO for a report on browser plug-ins installed in the organization, and they won't know where to begin," says Michael Sutton, vice president of security research for cloud security vendor Zscaler. "Attackers know this all too well."
According to Sutton, his team's research has found that plug-ins for Adobe Reader, Adobe Flash, and Oracle Java tend to be the top targets for browser exploit kits today, a claim that dozens of other security researchers will vouch for. According to the most recent Cisco 2013 Annual Security Report, Java exploits accounted for 87 percent of all Web exploits. And anecdotal evidence in the news daily bolsters the proof of plug-in dangers.
[Are you building enough layers in your endpoint security strategy? See Endpoint Security: End user security requires layers of tools and training as employees use more devices and apps.]
Take, for example, news of the latest exploit kit making the rounds: Styx. First blown open by Krebs on Security earlier in the week, Styx is being offered for license for $3,000. Current research shows that Styx depends on just four vulnerabilities to do its dirty work, and three of those are Java exploits.
Attackers don't really need to go through the expense of discovering zero-days when they can have a field day exploiting the old browser vulnerabilities sitting unpatched on most endpoints today. According to the most recent Symantec Internet Security Threat Report 2013, though the rate of discovery of Web vulnerabilities increased by only 6 percent last year, the rate of attacks from compromised websites went up by 30 percent.
According to Patrick Thomas, security consultant for Neohapsis, the two- to three-month patch cycle that most organizations have developed for endpoint environments is simply not fast enough to keep up with exploit kits developed to take advantage of browser and plug-in vulnerabilities. Enterprises have to adapt their practices to account for this Achilles' heel in the endpoint ecosystem.
"Don't fear the auto-update -- these aren't the dark ages anymore. Modern browsers have the ability to self-update; require it to be enabled," Thomas says. "Include browsers in patch reports and make sure that alternate browsers are considered in your enterprise patch management. Finally, include browser extensions and plug-ins in patching strategy."
Organizations that truly want to reduce their risks should consider more drastic measures, including completely uninstalling the most widely attacked plug-ins.
"I'd suggest that, unless you have a pressing need for a business application that requires Java, uninstall it completely from any Windows computer you use," says Andrew Brandt, director of threat research at Solera Networks, a Blue Coat company. "Even though these attacks spawn a pop-up message from Java asking for permission to execute the malicious JAR, in many cases it's too hard to tell from which browser window the pop-ups originate."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.