Web browsers are an integral part of home and business computing environments and one of the most popular and ubiquitous applications on computer systems. Due to their popularity, the exploitation of security vulnerabilities in browsers is a common method for attackers to compromise computers. Vulnerabilities in browsers and browser plug-ins facilitate the propagation of malware, as well as aid in other attacks such as fraud and the theft of sensitive information. Not only are these issues used to compromise computers in targeted attacks, but vulnerabilities affecting browser applications are also exploited en masse by malware, bot networks, and exploit toolkits. Nowadays, attacks that take advantage of vulnerabilities in browsers and other associated applications such as browser plug-ins are very common. According the recent Symantec Global Internet Security Threat Report, a significant number of new vulnerabilities were reported in various browsers during 2009 as well as an increase in the overall number of vulnerabilities.
In addition to Web browsers, browser plug-ins are also very popular applications. Plug-ins such as Apple QuickTime, Adobe Reader and Flash Player, browser extensions, Microsoft ActiveX, and Java all extend browser functionality to facilitate the execution of other content within the browser. These plug-ins are also affected by a variety of vulnerabilities that are often used in client-side attacks to compromise affected computers. Of these plug-ins, Java stands out as a particularly rewarding target due to its popularity and ability to run on multiple platforms. Similar to other plug-ins, vulnerabilities in Java can be exploited to gain control over a vulnerable computer. This can be accomplished through the establishment of malicious sites hosting exploits or by enticing users to process malicious applets—as highlighted by vulnerabilities such as the issues described in BIDs 39346 and 32608. Various interesting vulnerabilities, including logic errors and sandbox bypass issues, have been found in Java. Exploits for these issues often bypass memory protection and other defensive technologies, and they present a particular threat to detection and defense (as discussed in my colleague Adrian Pisarcyk's blog entitled "Perfect" Client-Side Vulnerabilities).
Trends from the past few years indicate that not only have there been numerous vulnerabilities in Java, but over the years the number of issues affecting Java has been on the rise:
Published in the spring of 2008, the Symantec Global Internet Security Threat Report, Volume XIII discussed 17 vulnerabilities that were discovered to affect Java in the 2007 reporting year. The number of Java vulnerabilities rose to 45 in 2008, and reached 84 in 2009. At the time of this blog's publication, we have already seen around 30 Java vulnerabilities published in the first few months of 2010. If recent trends are anything to go by, we should see even more vulnerabilities affecting Java in 2010 than in previous years.
Java vulnerabilities make up a significant portion of all vulnerabilities identified in browser plug-ins. Over the past two years the number of issues found in Java has been second only to ActiveX-control vulnerabilities. Symantec found that in 2008, Java vulnerabilities made up only 11 percent of all vulnerabilities found in browser plug-ins. This percentage increased significantly in 2009 when Java vulnerabilities made up 26 percent of all vulnerabilities found in browser plug-ins. Publicly available exploit code also exists for some of these vulnerabilities, while proof-of-concept code and commercial private exploits have been developed for others.
Considering the popularity of Java, the rise of vulnerabilities in the application, the availability of exploit code, and in-the-wild exploitation of issues, it is likely that we will see more threats that increasingly leverage these issues to compromise vulnerable computers. In light of these developments it is imperative that users take some precautions to protect themselves against potential attacks:
- Avoid following links to sites of a suspicious nature.
- Avoid opening files that originate from unknown or suspicious sources.
- Ensure that all applications are fully patched and running with the minimal amount of privileges required for functionality.
- Use memory-protection technologies such as Data Execution Prevention (DEP) and Address space layout randomization (ASLR) to prevent code-execution attacks.
- Deploy IDS/IPS sensors to detect attacks.
- Use ingress and egress filtering of network traffic.
- Employ user account audit and control, including access limitations and the prevention of unauthorized actions such as the installation of arbitrary applications (plug-ins, for example).
- Deploy desktop and endpoint antivirus and security applications.