With the launch of volume XIII of the Symantec Internet Security Threat Report (ISTR), I’d like to discuss some of the highlights we’ve seen in vulnerability trends for the last six months of 2007.
Zero-days in regional applications
During the last six months of 2007, Symantec observed a trend towards zero-day vulnerabilities that target applications in China and Japan. Of the nine zero-day vulnerabilities tracked during this period, seven affected popular Japanese and Chinese applications, such as JustSystem Ichitaro, Lhaz, GlobalLink, SSReader Ultra Star Reader, and Xunlei Web Thunder. This is a change from previous periods, where we saw attackers concentrate on vulnerabilities in Microsoft Office. It will be interesting to see if attackers continue to focus on region-specific applications. So far this year, we’ve already seen a zero-day attack targeting the Lianzong game platform. However, we’ve also seen a zero-day targeting Microsoft Excel.
Browser plug-in vulnerabilities still remain popular
Vulnerabilities affecting plug-ins for Web browsers have stayed at a high watermark. We documented 239 plug-in vulnerabilities in the second half of 2007, and 237 plug-in vulnerabilities in the first half of 2007. ActiveX is still the main culprit, but we observed a drop from 210 ActiveX vulnerabilities in the first half of 2007 to 190 ActiveX vulnerabilities in the second half.
This trend is driven by two factors. On the security research side of things, tools for auditing and fuzzing ActiveX/COM objects, such as AxMan and COMRaider, make it possible to automate the discovery of these vulnerabilities. From an attacker’s perspective, these are ideal candidates for inclusion in Web-based attack frameworks, such as MPack, IcePack, and Neosploit. Additionally, the average user often has no idea that these components are even installed on their computer, which makes it that much more difficult to obtain security updates or remove unneeded components. This means that they are basically dormant, waiting to be exploited. Other plug-in technologies, such as Java and QuickTime, are far less prone to these types of problems, and this is reflected in lower vulnerability totals for these types of plug-ins.
Site-specific vulnerability reports dwarf other vulnerability totals
In ISTR XII, we hypothesized that site-specific vulnerability research was a cause for the drop in Web application vulnerabilities as a proportion of all vulnerabilities reported. I blogged about this previously—for a quick refresher, have a look here. To clarify, a site-specific vulnerability is one that affects the custom or proprietary Web-application code for a specific Web site. In many cases, the vulnerability could affect a common Web application that is hosted on the site, but we refer to these as site-specific vulnerabilities because they were reported to affect the Web site instead of a particular piece of software hosted on the site.
At the time of writing the previous ISTR, our insight into the number of site-specific vulnerabilities was limited. However, with this latest report we enlisted the aid of the XSSed Project to gain a deeper understanding of the number of site-specific vulnerabilities that are reported. It should be noted that the XSSed Project only gathers data about cross-site scripting vulnerabilities, and there are certainly many other types of vulnerabilities that can affect specific Web sites. However, it is very noteworthy that the number of vulnerabilities in this category alone is significantly higher than the total number of software/hardware vulnerabilities. In the second half of 2007, the XSSed Project documented 11,253 site-specific cross-site scripting vulnerabilities, in contrast to the 6,961 site-specific cross-site scripting vulnerabilities that they documented in the first half of the year (data collection started in February of 2007, when the XSSed Project launched). This is much greater than the 2,134 software/hardware vulnerabilities Symantec documented in the second half of the year, and the 2,461 vulnerabilities documented in the first half of 2007.
These highlights and more can be found in Volume XIII of the Symantec Internet Security Threat Report.
Further reading:
Greg Ahmad has blogged extensively about ActiveX threats, so please have a look at his articles, here, here, and here.