Public vulnerabilities and exploits have skyrocketed in the first six months of 2014, with new research showing that Internet Explorer vulnerabilities have increased more than 100% since 2013, surpassing Java and Flash vulnerabilities.
Bromium’s Endpoint Exploitation Trends H1 2014 report indicates that public Java zero-days have declined – In 2013, Java led among vulnerabilities and public exploits, but this trend has reversed in 2014. In fact, in the first six months of 2014, there has not been a single public Java exploit.
“2010-2013 were clearly the years of Java exploits. Since then a lot of things have changed: old versions of JRE are blocked in the browser by default, Java applets now require explicit activation from users so this attack vector becomes harder and harder to leverage,” the firm said in its report. “In response to ever increasing defenses deployed by security vendors and software developers attackers switched to other popular plugins.”
The IE spike is a trend that is underscored by a progressively shorter time to first patch for its past two releases. Typically these attacks are launched leveraging users as bait via classic spear-phishing tactics –making it more critical for Microsoft to roll out fixes quickly.
“End users remain a primary concern for information security professionals because they are the most targeted and most susceptible to attacks,” said Rahul Kashyap, chief security architect at Bromium, in a statement. “Web browsers have always been a favorite avenue of attack, but we are now seeing that hackers are not only getting better at attacking Internet Explorer, they are doing it more frequently.”
Bromium also found that there has been an emergence of Action Script Spray driving zero-day attacks. Both Internet Explorer and Flash zero-days have leveraged Action Script Sprays, an emerging technique that bypasses address space layout randomization (ASLR) with a return-oriented program (ROP) chain.
“Both IE exploits released in 2014 (CVE-2014-1776, CVE-2014-0322) used Flash to build the ROP chain and launch shellcode,” Bromium noted. “This technique leverages the way dense arrays are allocated in memory. If a vulnerability allows an attacker to control the size of a vector they could make it as big as the whole memory space and then search for the necessary API calls and ROP gadgets.”
Overall, the research points out that the criminal landscape is in a constant state of flux.
“Cyber-attacks come in cycles,” the firm noted. “Hackers always attack the weakest link in the chain and adjust their targets frequently. As a result of high-profile attacks and the increasing spotlight on cyber-security, vendors are improving their software development practices, but in reality all software is vulnerable to attack. In the ever-shifting cyber-landscape the attackers’ choice of targets is driven by the ease with which a particular product can be attacked, its importance to the intended targets of the attacker and how prevalent the software is in the market.”