• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Targeted Attacks   »   Vulnerability Research and Disclosure: Evolving To Meet Targeted Attacks

Vulnerability Research and Disclosure: Evolving To Meet Targeted Attacks

  • Posted on:February 13, 2015 at 12:40 am
  • Posted in:Targeted Attacks, Vulnerabilities
  • Author:
    Weimin Wu (Threat Analyst)
0

Recently, both HP’s Zero Day Initiative (ZDI) and Google’s Project Zero published vulnerabilities in Microsoft products (specifically, Internet Explorer and Windows 8.1) because Redmond did not fix them within 90 days of the vulnerabilities being reported.

This has resulted in an argument between security researchers and software vendors on how vulnerabilities should be disclosed. A case where a vulnerability was disclosed without a patch has mixed results for end users:

  • It pushes vendors to respond more quickly when vulnerabilities are disclosed to them in the future;
  • However, it also increases the time window when attacks can be carried out using these unpatched vulnerabilities.

This is a long and complicated discussion that it would not be productive for me to jump into. Instead, we should look at why this particular debate has become more pointed recently. This is because the landscape of vulnerability research is changing.

For a long time, most vulnerabilities were discovered (and disclosed) by independent researchers (like white-hat hackers). At some level, they treat vulnerability research as a hobby. They have no incentive (or capability) to force vendors to fix vulnerabilities.

However, since 2010, many targeted attack campaigns have been discovered and documented. Professionals everywhere are now aware that everyone can be the victim of targeted attacks.  Many of these incidents use zero-day vulnerabilities to compromise user systems.

This has resulted in both established security vendors as well as startups expanding their ability to discover vulnerabilities in applications and websites.  In effect, the ecosystem surrounding vulnerability research has been changed by the need to deal with targeted attacks.

Trend Micro vulnerability research

Trend Micro has also been expanding its own vulnerability research capabilities. In 2014, we discovered 19 critical vulnerabilities in various applications that could be exploited  for remote code execution. Eleven of these affected Internet Explorer, three Adobe Flash Player, and two each affected Adobe Reader/Acrobat and Java. We also found one vulnerability in Netcore/Netis routers.

Figure 1. Discovered vulnerabilities in 2014

The 19 critical vulnerabilities (and affected software) which we found and reported to the appropriate vendors in 2014 are:

  • CVE-2014-0290– Internet Explorer
  • CVE-2014-0417– Java
  • CVE-2014-0525– Adobe Acrobat/Reader
  • CVE-2014-0536– Adobe Flash
  • CVE-2014-0559– Adobe Flash
  • CVE-2014-0581 – Adobe Flash
  • CVE-2014-1753– Internet Explorer
  • CVE-2014-1772– Internet Explorer
  • CVE-2014-1782– Internet Explorer
  • CVE-2014-1804– Internet Explorer
  • CVE-2014-2401 – Java
  • CVE-2014-2768– Internet Explorer
  • CVE-2014-4057– Internet Explorer
  • CVE-2014-4095– Internet Explorer
  • CVE-2014-4097– Internet Explorer
  • CVE-2014-4105– Internet Explorer
  • CVE-2014-6368 – Internet Explorer
  • CVE-2014-6443 – Netcore/Netis routers
  • CVE-2014-8447 – Adobe Reader and Acrobat

Why vulnerability research matters

Vulnerability research has the following benefits for security vendors:

  1. It allows vendors to anticipate the exploit landscape, and craft solutions in advance accordingly.

In 2013, the biggest source of exploit trouble was Java. However, we predicted that Internet Explorer and Adobe Flash would be the next targets. The reason was simple: attackers focus on the applications with the least security protection. Java had been forced by the events of 2013 to improve their security; other platforms would now be the focus of attackers.

We put our resources into investigating Internet Explorer and Flash from late 2013 onwards. As a result, we are able to discover zero-day vulnerabilities (like CVE-2014-8439, CVE-2015-0311, or CVE-2015-0313) as well as improve our ability to detect various commonly used exploit kits.

  1. Validate solution effectiveness on unknown threats

Research into unpublished vulnerabilities will help confirm which solutions are or are not effective. For example, after Internet Explorer introduced “delay free”, most of UAF vulnerabilities could no longer be exploited with current techniques. This did not render attacks impossible to do, only difficult.

If a new method is found – whether discovered by attackers or disclosed by researchers – how can we know right away if our protection is effective of it can be bypassed without a sample? Our own findings can be used to simulate the condition in such a situation.

  1. Respond effectively to zero-day and N-day exploits

Every solution has its own inherent difficulties and limitations. Some exploits like CVE-2014-6332 require multiple solutions that cover various aspects of the threat. Studying vulnerabilities in detail allows us to identify the root causes of the vulnerabilities and deliver the best solutions.

The exploit landscape of 2015

My colleague Pawan Kinger had earlier discussed the exploit landscape of 2014.  At the 2015 began, Google revealed three vulnerabilities in Mac OS X. This may serve as a significant sign to attackers that it’s worthwhile to investigate the code of open source projects. Users should consider using security products even on Macs, as well as mobile devices like iOS and Android smartphones/tablets.

Microsoft did a lot to improve the security of their products. Internet Explorer has been strengthened with various anti-exploit techniques. Windows 10 will add the Spartan browser, as well as more OS-level protection techniques like Control Flow Guard (CFG).  This will slow down attackers, as they need to understand these new mechanisms before creating new exploits,

However, Adobe Flash Player is less secure and exploits targeting it are very popular, as the multiple vulnerabilities in use (CVE-2014-0569, CVE-2014-8439, CVE-2014-2014-9163, and CVE-2015-0311) show. In those cases, more and more obfuscation and evasion are in use.

Trend Micro Deep Discovery contains a powerful sandbox that can detect and analyze threats entering the network perimeter, even without any pattern or engine updates. This allows IT administrators to detect threats – including attacks that use zero-day exploits – that attempt to target their organization. This information can be used by administrators to craft an appropriate response as necessary. The Browser Exploit Prevention feature in our endpoint products such as Trend Micro™ Security, OfficeScan, and Worry-Free Business Security blocks the exploit once the user accesses the URL it is hosted in. Browser Exploit Prevention also protects against exploits that target browsers or related plugins.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: 0dayAdobedisclosureExploitstargeted attacksvulnerabilityzero day

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.