Targeted attacks that are part of APT campaigns commonly use exploit documents in their social engineering ploy. These exploit documents serve as unassuming carriers of the attacker’s payload malware into the target’s computer. Since exploit documents are one of the first arrival vectors of APT malware, a little knowledge of the most exploited software and vulnerability will go a long way in removing low hanging security holes within one’s organization.
Taking data from exploit documents gathered last April, we can see that the most exploited MS Office software is MS Word.
The big reason for this is that two of the most reliable exploits used by attackers targeted CVE-2010-3333 and CVE-2012-0158, which are MS Word vulnerabilities.
Coming in at third place as the most common vulnerabilities exploited is CVE-2009-3129, which is an MS Excel software bug. This graph fits in perfectly with the first one as Excel is the second most exploited Office software.
For the past two years, exploit documents have extensively used CVE-2010-3333 to install malware. However, just last April, it was quickly surpassed by CVE-2012-0158. Its rise as the exploit of choice by attackers are well-documented by Trend Micro researches on two blog entries found here and here.
From these graphs, we can easily deduce that:
- Reliable exploits have long lifespans. Attackers would rather use old reliable exploits such as CVE-2010-3333 that are proven to work instead of experimenting with new, but unreliable exploits.
- A lot of organizations do not update their software. The wide use of a two year old vulnerability just shows patch levels in many industries are not updated.
- Rapid adoption and use of a new reliable exploit. Within a span of two weeks, CVE-2012-0158 went from zero to actually surpassing CVE-2010-3333 as the preferred exploit of attackers. This just shows that the time window for patching critical vulnerabilities is small, which requires due diligence and discipline on patch management by organizations.
Trend Micro Deep Security protects users this threat, specifically via the following rules:
- 1004973 – MSCOMCTL.OCX RCE Vulnerability For Rich Text File (CVE-2012-0158)
- 1004977 – Restrict Microsoft Windows Common ListView And TreeView ActiveX Controls
- 1004978 – MSCOMCTL.OCX RCE Vulnerability For Office Binary File (CVE-2012-0158)