Exploits are frequently used in targeted attacks to stealthily infect systems. These exploits do not have to target newly discovered or zero-day vulnerabilities; for example, CVE-2013-2551 (a vulnerability in Internet Explorer) is still being targeted in 2014.
However, zero-day exploits are still a serious threat as these can catch all parties off-guard, including security vendors. Zero-days take advantage of this insecurity window to expose even diligent users and administrators to different threats.
Research for Protection
Our products contain technologies that help address these concerns. These include browser exploit protection, document exploit protection, and virtual patching. These technologies were integrated into both consumer and enterprise products.
Feedback from these products about exploits and vulnerabilities was used to create heuristic rules against both patched and zero-day exploits. These efforts have met with positive results. In 2010, malicious samples that targeted the IE vulnerability which was used to target Google (CVE-2010-0249) were blocked several weeks before the vulnerability was publicly disclosed. Other similar instances involved attacks using CVE-2013-5990, CVE-2013-3346, CVE-2014-0496, and CVE-2014-1761.
We have put much effort and resources into finding vulnerabilities and corresponding zero-day exploits, with some success. In 2014, we found 14 vulnerabilities in various applications that could be used for remote code execution. Ten of these affected Internet Explorer, two Adobe Flash Player, and one each affected Adobe Reader/Acrobat and Java.
Figure 1. Discovered vulnerabilities in 2014
The 14 critical vulnerabilities (and affected software) with we found and reported to the appropriate vendors in 2014 are:
- CVE-2014-0290 – Internet Explorer
- CVE-2014-0417 – Java
- CVE-2014-0525 – Adobe Acrobat/Reader
- CVE-2014-0536 – Adobe Flash
- CVE-2014-0559 – Adobe Flash
- CVE-2014-1753 – Internet Explorer
- CVE-2014-1772 – Internet Explorer
- CVE-2014-1782 – Internet Explorer
- CVE-2014-1804 – Internet Explorer
- CVE-2014-2768 – Internet Explorer
- CVE-2014-4057 – Internet Explorer
- CVE-2014-4095 – Internet Explorer
- CVE-2014-4097 – Internet Explorer
- CVE-2014-4105 – Internet Explorer
We focus on analyzing samples gathered from victims of targeted attacks, as these give us a more accurate picture of the actual threat landscape. These samples are collected from different sourcing channels such as honeypots, product feedback, and user submissions. We believe that these samples target vulnerabilities which are being used or most likely to be used by attackers.
Possible exploits and vulnerabilities are identified through different methods including heuristic rule scanning, machine learning, and sandboxing. Our automated process handles hundreds of thousands of samples daily, and only several dozen suspicious samples need to be sent to manual analysis.
Like other researchers, we also proactively find vulnerability by static analysis, fuzzing, and penetration testing. to find vulnerabilities. We report these to vendors like Microsoft, Adobe, and Oracle before these are used by hackers.
It’s through this process that we discovered vulnerabilities for those popular software products that are easily targeted for exploitation. We work closely with the affected vendors to provide patches for any vulnerabilities we find. These efforts have led to Trend Micro being recognized as having an excellent record in discovering vulnerabilities in popular Windows applications in 2014.
Common Threads in Vulnerabilities
Different applications have a tendency for certain types of vulnerabilities to be found at certain points in time. This is because attackers like to use vulnerabilities that can be abused by a stable exploit method at that particular time.
For example, the Internet Explorer vulnerabilities we discovered this year are frequently some kind of use-after-free memory corruption vulnerability. Microsoft has issued numerous security bulletins this year addressing UAF vulnerabilities, including two zero-day vulnerabilities (CVE-2014-0322 and CVE-2014-1776).
It may be difficult to truly eradicate similar UAF flaws, for the following reasons:
- Developers are more prone to mistakes when coding in C/C++.
- Document Object Model (DOM) Levels 1 to 4 consist of complex elements and logic, while UAF always occurs in asynchronous processes. This problem also can be found in both Google Chrome and Mozilla Firefox.
- Internet Explorer contains private DOM elements like VML, which makes matters worse by increasing code complexity.
- Microsoft supports backward compatibility. Because the new engine works with the old one (which does not have the improved security of its successor), security is compromised.
Flash Player, meanwhile, suffered from an out-of-bounds access issue. It lacks bounds checking, particularly in code related certain specific complex logic. We discovered two vulnerabilities related to this. The Flash zero-day (CVE-2014-0515) reported in April exploited the same kind of vulnerability.
Exploit by Code Reuse
Attackers can now create exploit codes for vulnerabilities faster than before with code reuse. Once an exploit has been deemed stable, a template can be created. The template will include all the steps for remote code execution and the methods to bypass security mechanisms like data execution prevention (DEP) and address space layout randomization (ASLR).
DEP prevents the execution of code (including malicious shellcode) from certain regions of computer memory (nonexecutable). ASLR, on the other hand, randomizes the layout of regions (data areas) in memory to make guessing the exact location more difficult.
With code reuse, it becomes easier to implement a new exploit once a similar vulnerability is found. Only minor changes are needed to ensure that the related registries have the expected value once the exploit is performed.
We’ll use CVE-2014-0322 and CVE-2014-1776 as examples. These two vulnerabilities are both related to UAF. The exploit template for these bugs will have four steps:
- Use Flash ActionScript to do a heap spray, so that most of address space will be accessible via the bug and two adjacent vectors.
- To bypass ASLR, search the address of ZwProtectVirtualMemory, and use it to compose return-oriented programming (ROP) code, which can be used to counter exploit prevention techniques.
- Modify the vtable of flash.media.Sound to the ROP code and call that virtual function. After that, the permissions on the shellcode is changed to RWX, which means DEP is also bypassed.
- Return to shellcode – the arbitrary code gets executed.
The Future of Exploits
It has been said that attackers have concentrated on finding vulnerabilities in Internet Explorer and Flash Player this year. Our own work supports this, with the issue of UAF figuring prominently in the first half of the year.
Soon after Microsoft released their two mitigation solutions, UAF-related exploits became less of a problem. Even though we saw UAF vulnerabilities were still present, these were now non-exploitable using older exploit methods. While the mitigation solutions are now in place, we predict that UAF exploits will stage a comeback once these mitigation steps are overcome. This may coincide with the release of a new version of Internet Explorer next year.
We believe that it is inevitable that attackers will use new methods or target new vulnerabilities. We are already seeing that other types of vulnerabilities, such as out-of-bounds and type confusion vulnerabilities, be targeted instead of UAF.
The same could be said for bypassing security mechanisms. DEP and ASLR can both be bypassed today, and research has shown it is also possible to bypass the newer protection mechanisms. For example, in some special conditions, an object can still be freed immediately in a “delay free” flow. It is merely difficult, but not impossible, to reach those specific conditions deliberately.
Creating a Security Ecosystem
Trend Micro will continue to invest in exploit and vulnerability research. However, it is clear to us that using our research only for our products is not sufficient. Building an ecosystem to prevent zero-day attacks becomes necessary as more targeted attacks use them. Blocking such threats should not be the final step; both end users and vendors need to be informed to fully protect everyone from these threats.
What should end users do until then? They should ensure that their software is up-to-date, both to ensure that as few known vulnerabilities are present and to ensure that the latest exploit mitigations are in place. As we noted earlier, our research is used directly to provide protection for our users.
In particular, enterprises should look into Deep Discovery, which is designed to discover targeted attacks. Heuristic scanning and sandbox protection are effective and efficient ways in identifying unknown threats, and Deep Discovery uses the knowledge gathered via our research to provide the most complete heuristic detection for exploits.