In recent years, we have seen client-side software heavily targeted by hackers in search of vulnerabilities. 2011 saw these threats become more complex and sophisticated. We saw attackers increasingly use zero-day vulnerabilities, some of which have been particularly critical. Examples of these include the vulnerability Duqu exploited (CVE-2011-3402); a Java vulnerability (CVE-2011-3544); or Adobe zero-day vulnerabilities, which were exploited in the wild.
The exploit attacks we saw this year were targeted, original, sophisticated, and well controlled.
Among the applications most targeted in the wild were Adobe Acrobat, Reader, and Flash Player; Java Runtime Environment (JRE)/Java Development KIT (JDK); and Internet Explorer. Exploit kits like Black Hole and Phoenix were really prompt to pick exploits for these applications and go after users with high success rates. We also saw browser vendors release patches several times within the year to patch critical vulnerabilities.
Attacks were successful because a high percentage of users still used unpatched versions of vulnerable software. According to a CSIS study, 37% of users still browse the web with unsecured Java versions. A Zscaler survey also reported that 56% of enterprise users utilize vulnerable versions of Adobe products, putting the onus on security administrators to deploy virtual patching products such as Trend Micro Deep Security or the OfficeScan IDF plug-in.
Having said that, there’s an ugly side to server/OS vulnerabilities as well. Things largely remained the same in this space, as shown by the number of vulnerabilities in Windows Server 2008 and Red Hat.
Credit to CVE Details as source of the above data
Cybercriminals also exploited vulnerabilities in web applications. SQL injection attacks were used to compromise millions of web pages. In two separate mass SQL injection attacks, malicious scripts were inserted into legitimate websites. The first one in July hit 8 million websites. A second wave in October affected 1 million websites. Apart from SQL injection attacks, attacks exploiting cross-site scripting (XSS), cross-site request forgery, Directory Traversal, and other vulnerabilities in web applications (e.g., PHP, WordPress, Joomla, etc.) also occurred in large numbers and will continue to do so next year.
Some of the 2011 vulnerabilities worth mentioning are:
|CVE-2011-0609||Adobe Flash Player ‘SWF’ File Remote Memory Corruption Vulnerability|
|CVE-2011-3402||Win32k True Type Font Parsing Vulnerability|
|CVE-2011-3544||Oracle Java SE Rhino Script Engine Remote Code Execution Vulnerability|
|CVE-2011-2462||Adobe Acrobat and Reader U3D Memory Corruption Vulnerability|
|CVE-2011-0611||Adobe Flash Player ‘SWF’ File Remote Memory Corruption Vulnerability|
|CVE-2011-3192||Apache httpd Range Header Remote Denial Of Service|
What Can Users Do?
To protect against attacks exploiting the above-mentioned and similar vulnerabilities, a good patch management strategy is required. To mitigate any damage during the patch cycle, a virtual patching solution should be deployed as well.
The trends that we saw in 2011 are going to continue in 2012. We will see attacks become more complicated. The defenses against these threats will have to evolve and adjust to keep users protected in 2012.