Symantec Global ISTR XV Vulnerability Highlights
I am proud to announce the release of Volume 15 of the Symantec Global Internet Security Threat Report. I would like to take this opportunity to give a preview of the some of the findings in the vulnerabilities section of this report.
In previous years, we observed that ActiveX vulnerabilities were on the rise. This trend was largely driven by security researchers employing various fuzzing tools to audit ActiveX controls for vulnerabilities. In 2008, 70 percent of all browser plug-in vulnerabilities could be attributed to vulnerable ActiveX controls. In 2009 there was a significant decline in the proportion of ActiveX vulnerabilities when compared to other browser plug-in technologies. In the report we observed that only 42 percent of browser plug-in vulnerabilities affected ActiveX controls. Vulnerabilities in other browser plug-ins increased as a result. In particular, Java SE accounted for 11 percent of browser plug-in vulnerabilities in 2008 but rose to 26 percent in 2009 Adobe Reader also saw a significant increase, rising from 4 percent of browser vulnerabilities in 2008 to 11 percent in 2009.
In the report we have also taken a look at the top attacked vulnerabilities. Of the vulnerabilities discovered in 2009, the Microsoft Windows Smb2ValidateProviderCallBack vulnerability had the most attack activity associated with it. In 2008 the top attacked vulnerability observed was the Microsoft Windows Server Service vulnerability. Interestingly, these were server-side vulnerabilities that attackers could exploit without having to entice victims to perform actions such as visiting a malicious website. The remainder of the top attacked vulnerabilities in 2008 and 2009 were client-side vulnerabilities, which do require that attackers lure victims to perform an action such as visit a malicious or compromised website.
In 2009 Symantec documented 12 zero-day vulnerabilities. This is an increase over the 9 zero-day vulnerabilities documented in 2008. In the past, we saw that the majority of zero-day attacks were associated with Microsoft Office components. These were employed in a number of targeted attacks against organizations and typically involved enticing a user to open a work-related document. In 2009 the observed zero-days were more diverse; in addition to targeting Microsoft Office, other targets include Adobe Reader, Microsoft DirectX, and IIS. Targeted attacks are still one of the motivations behind the exploitation of zero-day vulnerabilities, as we observed recently with the Trojan.Hydraq incident.
To find out more about some of the factors driving these and other major trends, please check out the latest Symantec Internet Security Threat Report.