madison

Zero Day

Ryan Naraine and Dancho Danchev
Home / News & Blogs / Zero Day

Report: Patched vulnerabilities remain prime exploitation vector

By | February 16, 2011, 3:31am PST

Summary: Two reports highlight the fact that outdated and already patched vulnerabilities remain the prime exploitation vector for malicious attackers and cybercriminals in general.

Which is the most popular tactic that cybercriminals uses on their way to infect users with malicious code (malware) and generate yet another botnet?

According to a newly released report by M86 Security, that’s patched vulnerabilities. Why are cybercriminals turning to the exploitation of outdated flaws in the first place? Sadly, because it works taking into consideration the average insecure 3rd party application/plugin on a sample PC. Are cybercriminals being picky? Not at all, as thanks to web malware exploitation kits such as Eleonore, Phoenix, Unique Pack, Crime Pack or Fragus, they always exploit whatever is exploitable on a targeted host.

The top 10 most observed vulnerabilities served by web malware exploitation kits:

  • Microsoft Internet Explorer RDS ActiveX
  • Office Web Components Active Script Execution
  • Microsoft Video Streaming (DirectShow) ActiveX Vulnerability
  • Real Player IERPCtl Remote Code Execution
  • Adobe Acrobat and Adobe Reader CollectEmailInfo
  • Adobe Reader GetIcon JavaScript Method Buffer Overflow
  • Adobe Reader util.printf() JavaScript Func() Stack Overflow
  • Microsoft Internet Explorer Deleted Object Event Handling
  • Microsoft Access Snapshot Viewer ActiveX Control
  • Adobe Reader media.newPlayer

Next to the above mentioned flaws, the report is also emphasizing the fact that, in the second half of 2010, Java-based attacks rose to higher levels than anticipated.

The trend is confirmed by a second recently released report. According to Cisco’s data, the exploitation of patched Java flaws has outpaced exploitation through the use of malicious PDF files, at 6.5 percent on average for 4Q10. The increase of this exploitation technique is once again contributed to the use of specific web malware exploitation kits.

See also:

Users are advised to use least privilege accounts, browse the web in isolated environment, and ensure their hosts are free of outdated 3rd party software, browser plugins or OS-specific flaws.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Malware, Cyberthreats, Vector, Patch, Exploits, Vulnerability, Exploitation Vector, Security, Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Disclosure

Dancho Danchev

More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile.

Biography

Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community on a daily basis. More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile. You can also follow him on Twitter

Talkback Most Recent of 22 Talkback(s)

  • No surprise here.
    This has been common for the past decade. Several very successful exploits took advantage of patched vulnerabilities. Which is why I recommend, barring some specific reason, always applying patches.
    ZDNet Gravatar
    ye
    16th Feb 2011
  • You hear that, folks?
    @ye says to leave your systems unpatched. lol...
    ZDNet Gravatar
    LTV10
    16th Feb 2011
  • Reading comprehension fails you.
    @LTV10: ye says to leave your systems unpatched.

    Where did I say that?
    ZDNet Gravatar
    ye
    16th Feb 2011
  • RE: Report: Patched vulnerabilities remain prime exploitation vector
    @LTV10
    no you read that wrong he said always patch unless there is some specific circumstance where you can't or shouldn't (i.e. broken patch that may do more harm than good)
    ZDNet Gravatar
    KBot
    16th Feb 2011
  • You left an opening
    You said...

    Which is why I recommend, barring some specific reason, always applying patches.

    Which tells me some patches shouldn't be installed. Which means your system isn't fully patched.

    Now if the patch was bad, then why would Micro$oft release it in the first place? They're always right, ya know. wink
    ZDNet Gravatar
    LTV10
    16th Feb 2011
  • You're grasping at straws.
    @LTV10: Which tells me some patches shouldn't be installed. Which means your system isn't fully patched.

    That or you're stupid as it means no such thing.
    ZDNet Gravatar
    ye
    16th Feb 2011
  • Answer my question
    You can't because you know I'm right.
    ZDNet Gravatar
    LTV10
    17th Feb 2011
  • Stop worring about viruses, spyware and botnets...
    Get a Mac.
    ZDNet Gravatar
    HollywoodDog
    16th Feb 2011
  • I don't worry about viruses, spyware and botnets.
    @HollywoodDog: And I primarily use Windows. Haven't been concerned with it for well over a decade.
    ZDNet Gravatar
    ye
    16th Feb 2011
  • RE: Report: Patched vulnerabilities remain prime exploitation vector
    @ye I agree!! I also recommend Secundia PSI to help with all your programs
    ZDNet Gravatar
    bvonr@...
    16th Feb 2011
  • Of course not - lol
    * Microsoft Internet Explorer RDS ActiveX
    * Office Web Components Active Script Execution
    * Microsoft Video Streaming (DirectShow) ActiveX Vulnerability
    * Real Player IERPCtl Remote Code Execution
    * Adobe Acrobat and Adobe Reader CollectEmailInfo
    * Adobe Reader GetIcon JavaScript Method Buffer Overflow
    * Adobe Reader util.printf() JavaScript Func() Stack Overflow
    * Microsoft Internet Explorer Deleted Object Event Handling
    * Microsoft Access Snapshot Viewer ActiveX Control
    * Adobe Reader media.newPlayer

    And not one single attack vector for Linux. Not one.

    happy
    ZDNet Gravatar
    LTV10
    16th Feb 2011
  • RE: Report: Patched vulnerabilities remain prime exploitation vector
    @HollywoodDog
    obscurity isn't a solution expecially considered Apple's recent advancements in the mobile market.
    ZDNet Gravatar
    KBot
    16th Feb 2011
  • RE: Report: Patched vulnerabilities remain prime exploitation vector
    Uh, the report is stating that too many users/programmers have NOT applied patches, but think they are invulnerable because they patched ONE vulnerable piece of software. If you have 3 pieces of software that all use the Mozilla framework and only patch one of them (like, oh say, FireFox?), the other two apps are still vulnerable.
    ZDNet Gravatar
    RyuDarragh
    16th Feb 2011
  • Users fear installs and updates.
    Unfortunately, you can blame malware and long wizards for making users afraid of updates. I know lots of regular users that just wait for their local techie neighbor every 6 months or so to patch up their system.

    The only real solution IMO is for software developers to start using update systems like what Google Chrome uses: Transparent, automatic, and don't ask the users any questions. Just install the update.

    Whenever I set up a system for a user that isn't tech savvy, I always make sure Windows is set to update automatically, and if I'm allowed to, I install the newest Secunia PSI, which has the ability to install many application updates automatically.

    Sadly, not all applications have the ability to have silent, automatic updates, but whenever possible I enable them.

    It's less work for myself and my users if updates are automatic. And to be honest, it's how things are going to work in the future.

    While it's certainly good to allow some users to set updates to manual if there are compatibility issues - I think that by default, they should be automatic on all software, and I think that all non-web software should embrace the update model that Google Chrome uses.
    ZDNet Gravatar
    CobraA1
    16th Feb 2011
  • Agreed. And while they're at it they can also remove the license agreement.
    @CobraA1: Why does a patch require agreement to license terms?
    ZDNet Gravatar
    ye
    16th Feb 2011
View More Comments

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
Click Here

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources