Microsoft produces a document called the Security Intelligence Report on a regular basis. Some of it hit the news today so I decided to take a peek. The report doesn’t restrict itself to exploits of Microsoft products and is based on data that they gather from a number of sources.
“In this supplemental analysis, zero-day exploitation accounted for about 0.12 percent of all exploit activity in 1H11, reaching a peak of 0.37 percent in June”.
OK, so that tells us that the vast majority of exploits take advantage of old vulnerabilities that have had patches available previously.
“Of the attacks attributed to exploits in the 1H11 MSRT data, less than half of them targeted vulnerabilities disclosed within the previous year, and none targeted vulnerabilities that were zero-day during the first half of 2011”.
People aren’t patching like they should be. That explains this:
Conficker is still (STILL!!!!) the leading infection on domain joined computers. Seriously!?!?!? It is not in the top 10 of non-domain joined PCs.
And it explains this:
“Exploits that target CVE-2010-2568, a vulnerability in Windows Shell, increased significantly in 2Q11, and were responsible for the entire 2Q11 increase in operating system exploits. The vulnerability was first discovered being used by the family Win32/Stuxnet in mid-2010”.
This report covers up to H2 2011 and MS10-046 is still being exploited because people haven’t deployed the patch.
“Detections of exploits targeting Adobe Flash, although uncommon in comparison to some other types of exploits, increased in 2Q11 to more than 40 times the volume seen in 1Q11 … Two vulnerabilities accounted for the bulk of zero-day exploit activity … Both vulnerabilities affect Adobe Flash Player”.
Adobe Flash is one of those products that is constantly badgering me to get updated at home. I leave this turned on because Flash is a real target for attackers.
“The most commonly observed types of exploits in 1H11 were those targeting vulnerabilities in the Oracle (formerly Sun) Java Runtime Environment (JRE), Java Virtual Machine (JVM), and Java SE in the Java Development Kit (JDK). Java exploits were responsible for between one-third and one-half of all exploits observed in each of the four most recent quarters”.
Other products like Java and Adobe Reader are nice targets too because they have vulnerabilities and are rarely patched. At work, we patch the Adobe products via System Center Essentials. You can also use ConfigMgr 2007 to do this.
“As in previous periods, infection rates for more recently released operating systems and service packs are consistently lower than earlier ones, for both client and server platforms. Windows 7 and Windows Server 2008 R2, the most recently released Windows client and server versions, respectively, have the lowest infection rates”.
A) Newer products always do more under the hood to protect themselves. B) Newer home PCs will have current AV. C) Newer business deployments will have had a fresh installation of patching/security systems that some more mature environments have lacked, e.g. lack of WSUS, etc.
Interestingly, in the regional analysis, Italy appears to lead the pack at minimizing most malware infections (congrats!) but is second worst when it comes to adware infections (boo!).
Don’t be so quick to blame Microsoft: 44.8% of exploits are because of the weakness that is found between the keyboard and the chair, where the user is handing over some piece of information or OK-ing something bad.
Drive by attack download sites (innocent web sites that have been compromised, e.g. adspace that was sold and contains a Flash exploit) are on the rise.
There’s a lot of good info in the Security Intelligence Report. You should give it a read if considering the security of your business.
This blog post is the property of Aidan Finn (@joe_elway / http://www.aidanfinn.com) and may not be reused in any manner without prior consent of Aidan Finn. You may quote one paragraph from this blog post if you link to the original blog post.