Wednesday, September 28, 2011

Exploit Kit Intelligence: Five Software Packages = 90%+ Of The Problem

Via CSIS -

When a Microsoft Windows machine gets infected by viruses/malware it does so mainly because users forget to update the Java JRE, Adobe Reader/Acrobat and Adobe Flash. This is revealed by a survey conducted by CSIS Security Group A/S.

Basis of the Study
CSIS has over a period of almost three months actively collected real time data from various so-called exploit kits. An exploit kit is a commercial hacker toolbox that is actively exploited by computer criminals who take advantage of vulnerabilities in popular software. Up to 85 % of all virus infections occur as a result of drive-by attacks automated via commercial exploit kits.


Most Vulnerable Programs
On the basis of the total statistical data of this study it is documented that following products frequently are abused by malware in order to infect Windows machines: Java JRE, Adobe Reader / Acrobat, Adobe Flash and Microsoft Internet Explorer.


Vulnerabilities Abused
Among the vulnerabilities we have observed abused by the monitored exploit kits, we find:
  • CVE-2010-1885 - Microsoft Help & Support HCP
  • CVE-2010-1423 - Java Deployment Toolkit insufficient argument validation
  • CVE-2010-0886 - Java Unspecified vulnerability in the Java Deployment Toolkit component in Oracle Java SE
  • CVE-2010-0842 - Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability
  • CVE-2010-0840 - Java trusted Methods Chaining Remote Code Execution Vulnerability
  • CVE-2009-1671 - Java buffer overflows in the Deployment Toolkit ActiveX control in deploytk.dll
  • CVE-2009-0927 - Adobe Reader Collab GetIcon
  • CVE-2008-2992 - Adobe Reader util.printf
  • CVE-2008-0655 - Adobe Reader CollectEmailInfo
  • CVE-2006-0003 - IE MDAC
  • CVE-2006-4704 - Microsoft Visual Studio 2005 WMI Object Broker Remote Code Execution Vulnerability
  • CVE-2004-0549 ShowModalDialog method and modifying the location to execute code

The Reason Why Patching is Essential!
The conclusion of this study is that as much as 99.8 % of all virus/malware infections caused by commercial exploit kits are a direct result of the lack of updating five specific software packages.


Great research by CSIS.

This builds on the body of knowledge presented by various researchers (e.g. Dan Guido & Mila Parkour), which suggest corporations should focus on the top 5 or 6 products at the desktop level as an effective method of combating exploit kits - at least in their current state.

The exploit kit authors will adapt their attacking method (i.e. technique, vulnerabilities used), as needed, to maintain levels of high infection rates. Therefore, we must adapt as well. This is only the beginning.

No comments:

Post a Comment