Current Vulnerability Trends

By Jerry Adams on November 14, 2016

Increased Adobe Flash Vulnerabilities Exploitation

In 2015 Adobe Flash was among the most exploited application (2016 Feb., “HPE Security Research: Cyber Risk Report 2016“).  Among the most exploited Adobe vulnerabilities were the major zero-day vulnerabilities: CVE-2015-5119, CVE-2015-5122 and CVE-2015-5123 (Kerbs, B., 2015 Jul. 15).  Just days after CVE-2015-5119 was announced, it was found in seven exploitation kits: Angler, Neutrino, Nuclear Pack, Magnitude, RIG, Hanjuan and Nullhole (Kafeine, 2015 Jul. 7) (Li, B., 2015 Jul. 7).  CVE-2015-5122 was also found in six exploit kits: Angler, Neutrino, Nuclear Pack, RIG, Magnitude and Nullhole (Kafeine, 2015 Jul. 11).  Only CVE-2015-5123 was not found in any kits, though the exploit code is out and could potentially appear in kits in the future.

Due to the severity and the availability of the exploit kits, may vendors who use Adobe Flash on their websites were forced to temporarily block it to prevent their customers to be affected (2016, “2016 Cyberthreat and Trends Report“).  Likewise browser giants Google Chrome and Mozilla Firefox decided to just block the older version of Adobe Flash altogether to better protect their customers (Woollaston, V., 2015 Jul. 14). Building on top of that both Mozilla and Google Chrome both announced this past summer that they will drop support for Adobe Flash altogether, citing security concerns (Smedberg, B., 2016 Jul. 26) (LaForge, A., 2016 Aug. 9).  Instead they will move on to HTML5 which is more secure and efficient.

With the rise of Adobe Flash exploits this may have caused the previously fequent Java exploits to be on the decline, as reported by Microsoft in their “2016 Trends in Cybersecurity” report.  According to Microsoft the top Java vulnerabilities, CVE-2012-1723, CVE-2010-0840, CVE-2012-0507 and CVE-2013-0422 have all saw a decrease use in 2015 as detected by Microsoft’s anti-malware products (Microsoft, 2016).  HP also reported similar information, stating that “Although several vulnerabilities in JRE were discovered in 2015, none of them allowed remote code execution which lowers the interest of malware attackers in Java. Combine this with the fact that many people learned how to disable Java from running within a web browser environment, and it is easy to understand why Java fell in 2015” (Hewlett-Packard Enterprise, 2016).  Cybercriminals may now be relying more on Adobe Flash’s vulnerabilities to deliver malware instead of Java.

Windows Still the Most exploited Platform; But Not Most Exploited Software

According to Hewlett Packard Enterprise’s Cyber Risk Report 2016, the Windows family of operating systems are still most exploited platforms with 42% of the top 20 exploits being targeted to Windows (Hewlett-Packard Enterprise, 2016).  Likewise Windows is the platform that has the most malware, with 94% and Android a distant second. Focusing on Windows malware, worms and virus such as Allaple and Elkern are among the top malware families affecting Windows.  Allaple is polymorphic worm discovered more than eight years ago that affects HTML files.  Likewise, Elkern is a virus that was discovered more than ten years ago and mostly was nuisance worm, overwriting and deleting files.  The fact that the top two malware affecting Windows are worms and viruses from eight to ten years ago shows that patching machines are still very much a problem  (Hewlett-Packard Enterprise, 2016).

Despite Windows being the most exploited platform, it is not the most exploited family of software.  According to Microsoft, vulnerabilities to the core Windows operating system only accounted for a little under a 1000 vulnerabilities in the second half of 2015.  In contrast, software applications that were not created by Microsoft accounted for about 1500 vulnerabilities in the same time frame (Microsoft, 2016 May 5).  According to Microsoft in their “2016 Trends in Cybersecurity” report, most IT departments concentrate on patching operating systems but as seen in the numbers they account for a minimal amount of vulnerabilities when compared to applications.  IT departments need to spend time assessing and patching software applications or they will miss a lot of potential harmful ways their systems could be exploited via these applications (Microsoft, 2016).  According to HP, Adobe PDF and HTML maybe the most widely exploited software, at least when being exploited via web or email (Hewlett-Packard Enterprise, 2016).

Number of critical vulnerabilities up; Insecure Transport and Privacy Violations vulnerabilities were most seen

According to Microsoft, in their “Security Intelligence Report”, they reported that a little under 1,500 “high- critical” priority vulnerabilities in the second half of 2015, up from previous years. Similarity, over 1,800 vulnerabilities reported in the second half of 2015 were considered “low complexity” or in other words, they are not very complex so they are easy to exploit, making them more critical.  This figure too was up from previous years (Microsoft, 2016 May 5).

According to Hewlett-Packard’s (HP) “Cyber Risk Report 2016”, the top most widely seen vulnerabilities were categorized into different categories and the top two categories were “System Information Leak: External” and “Insecure Transport: Hypertext Transfer Protocol Shared Transport Security (HSTS) not set”.  “System information leak: external” is when too-detailed error messages leak system data that might help attackers gain dangerous visibility into the system.  “Insecure transport: HSTS not being set”, is when HSTS which is used to counter against man-in-the-middle (MitM) attacks over Secure Socket Layer/ Transport Layer Security (SSL/TLS) is not set up.  With HSTS not setup attacks such as downgrade and cookiejacking can occur.  Despite these two categories of vulnerabilities being the most seen, they are not the top critical vulnerabilities seen. HP also went through the most critical vulnerabilities that had occurred the most and also categorized them. The top two most critical categories were “Insecure Transport: Weak SSL Protocol” and “Privacy Violations”.  Insecure Transport: Weak SSL Protocol is mostly due to two SSL/TSL vulnerabilities from late in 2014, CVE-2014-3566 and CVE-2014-8730, also known as the POODLE attack, which take advantage of the old SSL v3 weaknesses (Moller, B. et al, 2014).  Many developers may still continue to use weak SSL protocols and ciphers in 2016 because they are backwards compatible, albeit the security risks are obvious. As for the privacy violations, one easy to prevent but still commonly occurring reason for it being a top critical vulnerability is because almost 10% of applications make use of hard-coded passwords (Hewlett Packard Enterprise, 2016).

References:

  • Hewlett-Packard Enterprise. (2016 Feb.). “HPE Security Research: Cyber Risk Report 2016“. Hewlett Packard Enterprise Development LP. Retrieved from http://www8.hp.com/us/en/software-solutions/cyber-risk-report-security-vulnerability/
  • Kafeine. (2015 Jul. 7). “CVE-2015-5119 (HackingTeam 0d – Flash up to 18.0.0.194) and Exploit Kits“. Malware don’t need
    Coffee [Weblog].  Retrieved from http://malware.dontneedcoffee.com/2015/07/hackingteam-flash-0d-cve-2015-xxxx-and.html
  • Kafeine. (2015 Jul. 11). “CVE-2015-5122 (HackingTeam 0d – Flash up to 18.0.0.194) and Exploit Kits“. Malware don’t need
    Coffee [Weblog]. Retrieved from http://malware.dontneedcoffee.com/2015/07/cve-2015-5122-hackingteam-0d-two-flash.html
  • Li, B. (2015 Jul. 7). “Hacking Team Flash Zero-Day Integrated Into Exploit Kits“. TrendLabs Security Intelligence Blog [Weblog]. TrendMicro, Inc. Retrieved from http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-flash-zero-day-integrated-into-exploit-kits/
  • Kerbs, B. (2015 Jul. 15) “Third Hacking Team Flash Zero-Day Found“. Krebs on Security [Weblog]. Retrieved from https://krebsonsecurity.com/2015/07/third-hacking-team-flash-zero-day-found/
  • Verisign. (2016). “2016 Cyberthreat and Trends Report“. Verisign, Inc. Retrieved from https://www.verisign.com/en_US/forms/reportcyberthreatstrends.xhtml
  • Microsoft. (2016). “2016 Trends in Cybersecurity”. Microsoft Corporation. Retrieved from https://info.microsoft.com/rs/157-GQE-382/images/EN-MSFT-SCRTY-CNTNT-eBook-cybersecurity.pdf
  • Microsoft. (2016 May 5). “Microsoft Security Intelligence Report Volume 20: Key Findings”. Microsoft Corporation. Retrieved from https://www.microsoft.com/security/sir/default.aspx
  • Woollaston, V. (2015 Jul. 14) “Google and Mozilla pull the plug on Adobe Flash: Tech giants disable the program on browsers following ‘critical’ security flaw”. Daily Mail [Newspaper]. Associated Newspapers Ltd. Retrieved from http://www.dailymail.co.uk/sciencetech/article-3160644/Google-Mozilla-pull-plug-Adobe-Flash-Tech-giantsdisable-
    program-browsers-following-critical-security-flaw.html
  • Smedberg, B. (2016 Jul. 26). “Reducing Adobe Flash Usage in Firefox”. Mozilla Foundation. Retrieved from https://blog.mozilla.org/futurereleases/2016/07/20/reducing-adobe-flash-usage-in-firefox/
  • Moller, B., Duong, T., Kotowicz, K. (2014 Sept). “This POODLE Bites: Exploiting The SSL 3.0 Fallback“. OpenSSL. Retrieved from https://www.openssl.org/%7Ebodo/ssl-poodle.pdf
  • LaForge, A. (2016 Aug. 9). “Flash and Chrome“. Google Chrome Blog [Weblog]. Alphabet Inc. Retrieved from https://chrome.googleblog.com/2016/08/flash-and-chrome.html